As a continuation of our series around analyzing mobile images in multiple tools, this blog is going to focus around using images created by MSAB XRY. For more information around the multi-tool approach and other image formats, see our intro blog here.
MSAB XRY creates both physical and logical forensic images in a proprietary format using the .XRY extension. It is possible to extract the RAW/BIN physical image from the .XRY container and the logical files from the .XRY logical images, however it requires you to use XRY to prepare the data first. This procedure is done with XACT which is an included piece of software with XRY. Once the .RAW or logical files are extracted from the .XRY container, an examiner is able to run the image through other commercial tools and parsers such as AXIOM.
Creating a RAW/BIN from an .XRY Physical
1. In XACT, open the extraction with the option, open a project.
2. When the extraction is loaded expand the project tree until you see the File system node.
3. Right click in File system and select the option Export > Node Data…
4. Select where you want to save the file and name it with the extension .BIN
Creating a File Dump from an .XRY Logical
The first two steps for creating a file dump from an .XRY Logical are the same as for creating a .RAW from an .XRY Physical. Below are steps three and four for extracting the logical files and folders from a .XRY file:
3. Right click in File system and select the option Export > Export All Files…
4. Select where you want to save the files.
Loading XRY Images into AXIOM
Once you’ve exported either the physical BIN or logical files from XRY into a more friendly format, loading them into your tool of choice is relatively straight-forward. To do so in AXIOM, open AXIOM Process, from the Evidence Sources window,
- Choose “Mobile”,
- Then either “iOS” or “Android” (depending on the type of device being examined),
- “Load Evidence”,
- Then select “Image”
This will let you load the images created by XRY into AXIOM. From there, choose your options and artifacts and process the image like any other.