MSAB XAMN

You’ve already extracted data from a mobile device, you’re up against the clock and you’re trying to analyze large amounts of mobile device and app data. Where do you start? 

Join us for a 30-minute free webinar and learn smart techniques that can be used within MSAB’s XAMN analytical platform to help sift through the large volumes of data that are produced by modern day smartphones. You’ll learn how to use XAMN powerful built-in functionality of to filter and tag data, build timelines of suspect activity and understand how to associate that data into person profiles for quick reference. 

If you are new to XAMN try our free XAMN Viewer, a powerful free mobile forensic tool. Learn more here: https://www.msab.com/products/xamn/ 

Transcript:

Adam Firman: Welcome everybody. I appreciate that you’ve taken time out of your busy day to join us here today and learn more about XAMN. So who am I? Obviously, the details are on screen. I was a police officer for 15 years and I worked the majority of my time in the digital forensic unit. I started out in data ingestion and then moved into the review of the data, given evidence multiple times at court, as a police officer, and also as a private consultant. So hopefully I can share some of that knowledge with you today. 


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Just a quick insight into some of the figures we’re seeing nowadays: I should imagine these numbers are even higher. Those of us in the industry, none of this will come as a surprise, but what we do need to find out is what’s relevant to our investigation, and how are we going to cut out the unnecessary noise and allow us to focus on the actual details of our cases.

Now I’m sure many of you are going to be familiar with the phrases on the screen, either as the person requesting the exam, or because you’ve rolled your eyes as the examiner. Now in law enforcement, we utilize triage in every aspect, whether it be emergency response or dealing with missing people, et cetera. And triage, put simply, is just a methodical approach to determine what can be done and what the priority is once that is known. Now, triage with mobile forensics is not a new idea. However, the last five to six years, we’ve seen such an explosion of data and devices that we’re really left with no choice. We’ve got to define strategies, look at policies and deploy solutions to manage those challenges because otherwise the backlogs are just going to get greater.

Now I travel – very lucky to travel – to police forces all over the UK and Ireland. While a lot of them already implemented some form of triage, it’s quite a surprising number that are still just doing full physicals every single time and seizing every single device. There’s going to come a point where we just can’t cope with that anymore. So at MSAB, to help our examiners deal with that, we have the XAMN family. Now to begin with the key challenge were mobile devices was accessing the data. Today, it’s making sense of that data. So XAMN allows you to view data from every angle. Now we’ll quickly just look through these, because I’m mindful that what you guys have turned up for is to actually get into the product and see how we can help you. But XAMN comes in different flavors.

First off, we’ve got XAMN Express, which is optimized to be used on the kiosk and the tablet. It’s not designed for an examiner to sit there for hours and sift through the data. It’s really just to have a brief look, to make sure that you’ve got the date you were looking for.

Now, XAMN viewer is the old version of the much loved XRY Reader that our support team get questioned on daily as to where it has gone. This is XAMN Viewer. Exactly the same product, just looks slightly different, and you can include that in your extractions. So if you’ve got other team members needing to look at it, you can include a copy of XAMN Viewer with your report and then it can be opened up. And it’s also freely available to download from our website.

Moving on, XAMN Spotlight allows for multiple XRY files. In one case, a host amongst other features. We also have Horizon, which allows geographic views, further analytic tools to connect persons and conversations together. And most recently we’ve added person identification because the details from one individual can be tied into many, many different artefacts. And as you can see on screen there, you can end up linking a person with email, several telephone numbers and identifications from different applications.

Another great addition in XAMN is being able to easily identify file mismatches. So if people are trying to disguise pictures or videos, it’s different files and literally just changing the file extension, XAMN has a handy filter prebuilt in where you can quickly identify those.

Now image recognition is also built into XAMN. However, this will have needed to be run on the XRY process at the beginning. Now this isn’t going to be for every job, because it does obviously add time to the decoding process, but if you’re purely working an images case, then it might be beneficial to ask if image recognition can be turned on for your extraction.

And finally, we have XAMN elements, which is more for your high tech lab, if they want to verify findings and have a deep dive into the hex. We also include drone view, which allows you to… if a drone has been extracted with XRY, allows you to view start, stop times, flights, and puts it into a fantastic product, which would really go down while in a court case and would allow people to visualize exactly the movements of that drone.

Now, if you find yourself working in child sexual exploitation, child abuse, then we do integrate with project VIC and CAID in the UK, which allows you to obviously link the database up to XAMN and you can pre-categorize those images and you can also hide them so they’re not on view. As we’ve discussed, obviously the sheer size of data is becoming astronomical. So here at MSAB, we’ve worked alongside Nuix to make an easy export button, which allows you just to export the data in an easy format that could be easily ingested into Nuix.

Now, obviously I’m sure everyone has taken in what is involved and included in each separate element of XAMN. And as you can see on screen, this is roughly showing you what’s included in each version. So at that point, pause to take a breath. Obviously I appreciate it’s been death by PowerPoint to begin with, a lot of information to take take in, but what we’re here for today is how we can help you speed up your analysis, improve efficiency, and let XAMN do the hard work for you.

So the extraction I’m going to be using is an iOS image that was provided by Josh Hickman. And that’s available on the website that you can see there. I like to use this extraction for transparency. It’s available for everyone to use. That’s great for honing your skills of XAMN, and any other tool for that matter. The documentation that comes with it is great, allows you to see what data should be parsed by your tool. And if it isn’t parsed because no single tool does everything, it allows you to go hunting and find it for yourself. And sometimes we need to do a bit more than just press the find evidence button.

And just like that, we switch into XAMN. Now, most of you have used the latest version, this case screen won’t be a surprise to you. Obviously we’ve opened it as a case. You can see my case details on the left, my data sources in the middle, and the investigator’s section on the right. Now, for those of you who just love XRY Reader and refuse to let it go, the kind people at MSAB put this button in just for you. So if we just click classic mode, apart from the colors, it’s going to look the same as XRY really used to: brings it up in column view, and here are your artifact categories down the side.

Now what I want to do is just show you the difference between XRY Reader and just normal XAMN mode. And as you can see here, XAMN offers you so much more. And that’s why we’d really want people to adopt XAMN and try and move away from XRY Reader. But obviously we appreciate nobody likes change.

Another great feature within XAMN that allows you to do. And obviously we’re all working in different sites, different locations; an extraction that you’re dealing with might have been extracted 200 miles away, maybe even more. And you want to check that that data is still same data that was extracted. In XAMN, if you go to data sources at the top and you simply right click your data source, you can click that to check integrity, which will then do a check of the XRY file, and providing everything’s okay, it will come back and tell you that the file is intact. Again, another great tool, if you’re moving a lot of data over networks. I won’t check the integrity of this now, because it does take some time. As you can see, it’ll just come up and slowly run through the verification process.

Now, in regards to this extraction, I’m aware that it was provided by Josh Hickman, who, for those of you who don’t know, Josh is an examiner based in the United States on the East coast. So before we start looking at any data, I’m just going to change my time zone to reflect. So I know that Josh is on the East coast, so I’m going to use minus five. So now our time is reflected with the artifacts that Josh created. So as we look, have a look at the artifacts that have been parsed out, the image Josh created, you can see that: absolutely huge. Now, if any judge or lawyer expects us to review every single one of them artifacts, we would be there for weeks, if not months.

So let’s look at some of the great tools that XAMN offers you. The first one is quick views. Quick views are great, and allows you to apply predefined filters the MSAB have made, but we can also make our own. So let’s make one on, say, our location. So if we go into chat, and all I’m doing here is sorting into conversation view, which then allows me to see each chat conversation that is present on this device. We’ll go to WhatsApp, and you can see here, I find location data, oh, here we go. Live location. You can see I’ve got a lot of latitude and longitude. And what we can do is we can create a filter on the fly with this. So if we just select the latitude, and we right click, you can create a location filter. So what we’ll do is, we’ll do that into a new tab. And again, XAMN is similar to a web browser, you end up with different tabs.

So now we have a filter applied that’s a given location. And if we have a look at this filter, you can see here, this is based in the States and this location is currently being applied as our filter. And we can grab this radius and just move it. And you can see if you look at my artifacts at the top, at the moment, I’ve got 1911 for now, move it and press okay. You can see that’s increased. So it’s a dynamic artifact count.

But again, rather than just move your location, how I did, you can also edit here so you can make it up to 15 kilometers, down to five. And again, that’s another great tool that not many people realize. So once we’ve made that filter and we’ve decided that this is the data that’s going to be relevant to us, what we can do is, we can save that as a quick view. And we could export that quick view to other examiners. Let me show you how.

So down here, obviously these are the predefined quick filters, but what we can do is we can create a new one that’s relevant to this case.

So now we’ve got a quick view of XAMN 101, and we know that’s been created by us because it’s indicated by the look person indicator. So if we hit okay, we come out of there. Go back to the start page. You can see the quick view has now been added. If we select that, then a new tab will open with exactly the data we are presented with earlier.

Now, if you’re working on a team and you’re working at different locations across the country, and you want to share this amongst other examiners, what you can do is come up to quick view, select your XAMN 101, and simply export: send that file to fellow examiners. They just choose the import option when they receive the file, and you’re now both working with the same location filter. Again, just a great way of working as a team.

So we’ve now created our quick view, and we could review that data, see what messages, what images have been presented if that was relevant to our investigation. Now at the moment, we’re only seeing data that is relevant to our quick view, which as obviously we know is based on that location parameters that we set. Now XAMN indicates that a filter is in place, because a lot of these are greyed out, and we also have the option to clear the filter selection here. So if we press that, we were again presented with too much data to handle really.

Now, another great use of XAMN – and I find not a lot of people realize this – is when you hover over items within XAMN, you’re presented with a help box. For example, here, you’re being told about the wildcard feature. Now, for those of you who don’t know, XAMN indexes your evidence for you. So if you were to start typing, XAMN will start giving you suggestions of texts that’s already present. So for example, to use the wildcard feature, as the help indicator is highlighting there that if we use an asterix, that’s also going to add results on. So if we were to look for, “this is *” that could bring back, this is there, DFIR, this is the dream, and all of those results below. Whereas if we just selected that, that is all we would get.

And again, what we’ve got now is we’ve filtered and we are only sharing results that include “this is.” And another handy thing about XAMN is that you can rename tabs, which I find if you’re working on a case for several days, potentially weeks, and you end up with multiple tabs, and I know that will stress some of you out who have got OCD about multiple tabs, but being able to name them and sort of drag them around, and recategorize them, I find really helps.

So what I want to show you now is for those of you who do a lot of investigations with images, so we will pull up the image category.

And obviously people have got their different preferences about how they like to view it. If you were reviewing a child abuse case, for example, you’d probably view it in category view, gallery view, so you could get through the vast quantity of images as quickly as possible.

Now, what a lot of people don’t realize is that in column view, you can actually edit what you see within this column. You notice we have a little cog here. If you select the cog, you can now decide what data is relevant to your investigation. Some of this might not be relevant, and other parts that aren’t included, may be. So being able to define your view in those columns, I think, is a great feature, and one that quite a few people are shocked when I tell them they can do that. They just never realized. And again, most people know that you can sort of drag these around to suit your particular case.

So let’s start looking at the images in gallery view, because another feature that I’d like to show you is the Dhash. Now, obviously some of you are going to find: what even is a Dhash? I’ve heard of an MD5, SHA-1; what is a Dhash? So on our website, an MSAB employee states a Dhash is a visual hash, which can be used to quickly find similar pictures. Creating a Dhash value doesn’t change your original picture. It differs somewhat from normal hash algorithms, such as SHA-1, in that it doesn’t require an exact match to find similar pictures. The amount of bits that differ between two Dhash values are a measurement of how similar the images are.

So let’s have a look for… and see how Dhash works. So I know I’m looking at an iOS image, so I know most of the images that are taken by the camera are going to begin with “img.” So apply that as a filter. And again, this starts to look like images that you’d expect to find in the camera roll of an iOS device. And we’ll select one of the… obviously Josh is a Star Wars fan… and you can see on the right hand side in the details pane, we have a Dhash value, which is just below the SHA-1. Now to select the D hash and find similar pictures, you press this button here.

And once we click that within a new tab, you’re going to be presented with images that have got a similar Dhash to the one you selected. And as we go through, we can see the different iterations, et cetera, of the same image. So Dhash has worked very well in this particular instance. And it’s just a great way of showing you that if you’re looking for similar images, have a go at Dhash, sometimes you may get inaccuracies, but again, it’s just one of those great additions that there that when it does work, it will save you a lot of time. And again, just to reiterate, if these images were irrelevant, I could automatically just rename my tab.

And now I’m getting somewhere with my investigation. So I know I’ve got the case, got the pictures, and I’ve got my images of relevance. So what we’re going to do now, so we’re going to start with all artifacts. And we’ve been told in this case that Josh has been looking to set up a Zoom account in April to discuss anti-digital forensics. So that’s what we’re going to be looking for. And XAMN, we can do a straight tech search resume, but we’ve got the intelligence to say that this was done after April, 2020. So why not apply a date and time filter?

So we can come here, set custom, and XAMN’s automatically given me the option to run it from. So I’m just going to go, 1st of April, I’ve got no end date because the only intelligence I’ve been told at the moment is that the user set up a Zoom account around April.

So we’ll let that run. So now you can see we’ve lost 800,000 artifacts. And we now just whittle down some of these numbers. And rather than apply Zoom at the beginning, I almost like to add a date, so it just allows me to pivot and make a smaller subset to search for. So now we’re going to search for Zoom. You can see that the pre-index in XAMN already brought up some Zoom services, Zoom settings, Zoom chat. So I think our intelligence was right, that Zoom is going to be present on this device.

And once we’ve applied our filter, we have now got some web cash results and Safari, some media, and some calls. You can see Zoom has been made to make some calls. We have some media files, and we have some Safari results showing that our intelligence was right: showing that there has been a sign-in to Zoom on the 16th of April on the 13th of April, and they viewed their profile. So if you are needing to prove this for your evidence, obviously making it an application to Zoom, to tie up that information, as well as evidence in this, from their device. There’s great evidence.

So what we’re going to want to do is we want to tag these; and obviously for people who’ve used XAMN and XRY Reader for a number of years, [inaudible], it’s become second nature. But what a lot of people forget is when you have a group of investigators examine the same case, but different devices, sharing tags, like our quick views, is another great feature that XAMN allows you to do so. Especially in the UK, people are working against ISO 17025 standards where procedures and policies have to align, working from the same tags just allows for a clearer investigation to be had. So let’s see how we can do that.

So we’ve selected the seven artifacts from within Safari, and we want to make a new tag. So, and you, again, XAMN, the lovely people in Sweden who have allowed you to choose which color suits you. So this could go inside of what… an operation name, etc, but we’ll go for blue. Let me click add.

Now at the moment, this tag is obviously only relevant to my local machine. So if I hot desked, and I picked up my examination from multiple workstations, what I would want to do, is similar to how we chose quick views, because I would want to export my tags. So then the next time I worked on an instance of XAMN at a different workstation, I could import it and my same tags are there. So we now have seven artifacts that are tagged with our new tag, Zoom 101.

So the intelligence goes on to suggest, that following Zoom creation, that the conversation moves on to iMessage. So on the left hand pane, you can see that XAMN has automatically categorized different apps for you. And you have artifact numbers within each app. Obviously we’ve got Apple, SMS and MMS, WhatsApp, et cetera. And iMessage. So if you wanted to bring in several different applications, you can just hold down shift and select different apps, and you can do the same to remove them. Yeah. And again, here we’ll go into conversation view, we’ll bring up the conversation that then results in messages that are shared between This Is DFIR and Joshua Hickman, which is where they’ve been sharing attachments. So we’ve identified that these four messages and we also want to have this paper, okay, can it be of relevance? And we can right click, choose tag, and we can add it to our Zoom 101 tag.

So now, if we clear filters, we will notice that we do have a tag at the bottom, which is what we presented, which is Zoom. And we have 12 artifacts. And if we wanted to get this off to the prosecution service, to look at the case for a quick charge decision, this is just a great way of identifying 12 quick artifacts to add a bit of weight to your evidence.

So there’s several different options for reporting in XAMN: that’s probably one of the biggest questions that support, myself, and many other colleagues get questioned on. And there are so many options there. And it’s just a case of trying until you find the right one that works for you. I generally find if your case involves a lot of chat, then power chat is going to be applicable. But again, if you have like this, a mixture of web, mixture of chat, then playing about with the different export options is going to help. So, what I like to do before I create a report is, I always change my sort by, I want to go with time, because I like it in a timeline. It makes it easier to explain, and it gives the best possible view where you can show it started on the web, Zoom, sign-in, it then moves to messaging where they’ve exchanged details and it just paints a better picture.

So to create a report and say, do you have several options? And the report is the middle button. You can output to several different formats. So if you’re aware that your prosecution office will only deal in PDF, you can create a PDF. If you’ve got fellow investigators who you’d like to have sight of the report, but you know, they prefer working in Excel. Again, I can select several of these all at once and save, creating a report and run them through this process several times. And there is a Nuix option that we spoke about earlier. And again, if we just went for PDF to begin with, you can see that XAMN is showing you the roadmap as to how we’re going to get there.

So we begin by choosing our artifacts. No, I don’t want to make one on 285,000 artifacts. We’ve just spent the time filtering our data, so we’re going to select filtered. And you can see the next option will be the options with a PDF. Again, if I chose Excel, you’d see that we’d have options for Excel, but we’ll get a PDF. And this is the one I was talking about earlier in regards to power chat. This is really the best format for power chat. When you’re viewing lots of different conversations, if we wanted to include iMessage, if we wanted to include WhatsApp, then power chat really is the best because it shows you the [indecipherable] and you can also change your thumbnail views.

So if we just start with a standard, because what we’re going to include is website hits and messaging. So here are the options: do we want to include metadata or media files? Do we want to include our examiner notes? Cause obviously as we’re going through our investigation, we can make several examiner notes. Just to say, if you’re working on a big case, this is just one device. If you had 10 devices that you were going through, you’re going to be sat here for quite a while. So making notes for yourself is highly recommended, but we might not want to include that in our report. So we’d untick it.

Do we want to include geographic links? Do we want to include our tags, or are our tags only for our benefit? Again, I used to leave those out. Now XAMN allows you to customize your reports. We haven’t had chance to go in that today, but you can include obviously agency logos. And within the options here, you can really go into detail about how you want to include things. Do you want your logo on the left? Do you want it on the right, et cetera? Again, like I said at the beginning when we discussed reporting, it really is a case of just keep playing with it until you get it the way you want.

So we’ll tick all of these out. We want to include the case data. We’ll include the first page. And we’ll include device overview. So we get next. Now we do also give the option to export to a zip file, which you can password protect. We’re just going to leave it as a PDF at this stage, and hit export. And you’re presented that you can open the folder. Apologies, I’m working on several screens, so I’m just trying to work out which screen that’s popped up on. And here we go.

So we now have here got an export log again, helping to align with ISO 17025 standards, showing exactly what you’ve explored and we can open our PDF, which again has opened on a different screen.

And again, with this time it’s broken the messages in the chat into different tabs. Now we could address this and get it all to run in a single timeline, but it really is a case of just carrying on and practicing until you get until you know how XAMN reports while on chat applications and web applications and how… if you want to create a timeline report.

So what we’ll do now is I’m aware that several questions are coming in. So I don’t know if Greg and Will want to join the chat, and you make me aware of any questions that we could live demo.

Host: So one question I have been asked by my prosecution lawyer to redact all phone numbers to just the last four digits for court presentation; can XAMN do that?

Adam: It’s been a while since I’ve done that one. Greg or Will, have you got knowledge of the best way to do that?

Greg: Yeah, I don’t believe that within XAMN itself can redact the data that’s exported. Now you can probably do that with the exported data that… once it’s in a PDF or in an Excel spreadsheet, but it cannot be done within the XAMN tool, because the XAMN tool is designed to get you out the evidence in its entirety. We don’t like to manipulate the data within the tool itself, but it would most likely be done outside of the tool.

Host: So next question: are location filters able to show phone calls and VOIP app-based calls made and received from cell sites in specific areas?

Adam: Providing you import the call data records. But obviously when we created our location filter earlier, if you expanded that location filter to include applications that included what cell tower they’re connected to, then that would be included in that filter. Unless there’s anything Will and Greg, you can think of?

Will: No, because I think that the answer you gave was the the correct answer and a good answer because again, cell tower records and cell tower data are specific to the cell tower itself. I know there’s a correlation between the phone call and the cell tower record. But I don’t think we’re doing any matching IDs. Again, XAMN is more of an analysis tool. It’s not, it’s not like a Cellhawk type of program. But again, if you ingest the call data records and also you can import as a user [indecipherable] the cell tower locations, that will be probably put in the same map area when you do a locations filter.

Adam: Thanks Will. And that’s the beauty of XAMN, because like we showed earlier, when you’ve got several tabs open and you’re one of those people with 400 Chrome tabs open and you want to save it and share this where you’re currently at with a fellow investigator, we obviously showed you the export option. You can also save your XRY file as it is at the moment. So then it can be picked up at a later stage or passed onto another examiner.

Another great feature that I realised that I hadn’t included, and it’s not so relevant for iOS, but we do have a known data library. So similar to CAID and project VIC, where obviously iOS devices, Android devices, et cetera, they all have custom images, custom files. Some of these may not be relevant to your investigation. So on our website, once you get logged into the customer portal, you can download that known data library.

And if we just come here, we can quickly exclude it. And we can obviously see our artifact count here. It’s 285. If we now exclude, I’m not expecting huge results because it is more focused on Android at this stage. You can say here, does it make a difference? Slightly. Yeah, yes. It’s removed a few.

And again, if you want it to include it or show only name data, just to make sure that we haven’t made any mistakes and we’re hiding them precious artifacts that you wanted to see, again, you can just show what were excluded. And again, these are just graphic images that are going to hold no relevance to your case. And we can include known data and we’re back down to the original.

Any more questions that are coming in from chat?

Host: Yep. A couple more. Are you able to show a way of adding keywords or hash lists for quick triage?

Adam: Yeah. So in regards to keywords, you have a couple of choices. You could run a watch list with your extraction. So in my old unit, we used to run one for legal privilege. So we would look for solicitor, barrister, just to confirm that if there was any communication between subject and his solicitor, then we weren’t privy to view that data. So we would run that.

But you can also work off the same keyword list. And to do that, you would come to this magic button here, I think was hidden, the little plus, the add new filter. And again, we went for a quick views, which obviously a predefined filter set might be called locations et cetera, or the one that we created. But there are several filters that the developers of XAMN have spent time creating for you, where you can just do project VIC, or you could do recognize content, which we discussed earlier. We can talk about hidden artifacts, file extension mismatch, but we can also have a word list where we can add a file if it’s been created for this particular investigation, or we can create a new one on the fly.

So to add a file, you just click add a word list. And that brings in the keyword lists that are relevant for this. And you can quickly edit that on the fly.

And create a new one. Just to show you how that works. Ask you to save the name, if I could spell. And it allows you just to add them on the fly. So some of the words that we saw earlier: Netflix, CIS diagnose, and once we hit okay, there’s our webinar keyword list applied instantly. And you can see it’s identified the keyword.

Next question. Hopefully that’s answered that one.

Host: Sure. How can you easily filter software icons and images so you’re left purely with images from camera roll or social media applications?

Adam: So there’s several ways of doing this. Like when we were starting the investigation, I said that I was aware this was an iOS device. So I was going to look for img, because I know that img is contained in the file naming of pictures on iOS devices. And again, here, if we start to look down, we can see that these are called img.

We can also apply different filters. So just because we’ve got the one filter on, which is img, we can add another filter. So if we just wanted JPEGs, then if we go to file name, this allows us to add an extension. So we could go to JPEG, which then allows us to drill down even further. So we’re not including PNGs and likely system files. And hopefully that covers the question, unless any of my colleagues can think of any other tips?

Greg: Yeah. At that point you can even choose what apps that you wanted the photos to show up for using those individual apps. If given a list of apps, you can kind of narrow it down from there and just choose them using the push pin, and then whatever apps you want to see those pictures from, and then do an export.

Adam: Yeah. So as Greg has just mentioned, obviously, if you were just after certain applications, so you were just after what had been transmitted in WhatsApp and Viber, then you can either shift and click these, or you can use the push pin. So it allows me to select WhatsApp, Line, Apple SMS, iMessage. And if there were any pictures that were transferred in that we would now be viewing them here. So hopefully that’s cleared that up. Thanks Greg.

Will: And Adam, if you would leave that filter on and added a locations filter, once you have those three filters applied, you can save that filter. And now you can apply that filter for any investigation that requires you to go ahead and look for those particular criteria.

Adam: Yeah. Which is similar to what we shared earlier, the quick view, whereas Will’s just expanded on it and said that you could use messages, et cetera. And really, as you’re working as a team across the country, across different organizations, allowing the export of these filters is a great feature.

Host: Great. Are you able to show how the translation add on works?

Adam: Good question. I don’t know if I’ve added the translation add on. Will, I’m aware that you’ve used it a fair bit with Spanish?

Will: Yes. So if you just select a chat for instance, and you are looking for a particular conversation and it’s in a different language, then what you basically do is select the chat on the metadata side and you right click, and then it should be… if you have the translation module there… there it is right there, translate. And then you can create that either in this particular tab, or you can create a new tab. And the nice feature about that is that you can select multiple chats in that middle pane chat view, and you can translate multiple translations at once as well. And the chat, the translation itself, is actually put inside the examiner notes for you.

Adam: That’s fantastic. And I’m appreciative that you’re there, Will, because I worked for a police force, so we didn’t really deal with sort of ports or airports. So being typically in Britain, we only liked it to talk the Queen’s English. So we didn’t really deal with many other languages, but I know there’s a fair few guys on who work in ports and airports. So that would be really handy for them. Thank you.

Host: Great. When evidencing meta or location data, is there a way to include the geographical map on the exported report?

Greg: So by default, any export that’s done through XAMN, you automatically get a screenshot that’s included the report. So any any tab that you’re actually doing in the existing XAMN, a snapshot will be created. Plus we also have a capture feature that also allows you to do screenshots and videos of your entire session.

Will: Yeah. And just to add on that in addition, you can choose to add hyperlinks within your report for those locations. Used externally with Google maps or whatever, Google, whatever mapping system you have access to on a connected computer as well.

Host: So I think we have time for one more question, Adam, and then if there are any other questions would you mind putting your contact information just in the chat so people can reach out to you?

Adam: Most certainly.

Host: but the last question for you: can you filter out a hash set of known files or [indecipherable] type files?

Adam: That would be with… similar to project VIC which we spoke about earlier. So you could create a hash list here. So I’ll just go through that again. So we went to add a filter and we can add a hash filter, which we could then add. If we’ve got a file with known hashes that we wanted excluded, then we could exclude those.

Greg: Yeah. I guess it’s worth noting now, Adam, that, that any, any file any filter on the left side is not only and include this type filter, but every one of those also has the ability to choose it as an exclusionary filter as well.

Adam: Yeah. So there we go. Just highlighting exactly what Greg just said. So once we’ve added that filter, so we added the hash, we can just come to the phrase ellipsis and we can exclude it. So that would be how you would exclude it from your investigation.

Just one more thing before we go, just like to give a shout out to our trainers who are putting a ton of content up on our YouTube channel. And in this period of lockdown, if there’s anything that you’ve found interesting today, our examiners and trainers have put out great little short videos that you can watch that will just give you a reminder of how to use the column, view, how to tag artifacts, et cetera. So be sure to check those out. And [indecipherable] my details passed on the screen, but you can see me going into Hogwarts. Well, I don’t think covid has reached yet, but I’d just like to thank everyone for taking the time. No, you’re all busy, busy people. So I appreciate you making the effort to be with us today. And hopefully even if we’ve taught you one or two things, then it’s been worth your attendance. Thank you very much, everybody.

Leave a Comment

Latest Videos

Latest Articles