Loading XRY Images into Magnet AXIOM

As a continuation of our series around analyzing mobile images in multiple tools, this blog is going to focus around using images created by MSAB XRY. For more information around the multi-tool approach and other image formats, see our intro blog here.

MSAB XRY creates both physical and logical forensic images in a proprietary format using the .XRY extension. It is possible to extract the RAW/BIN physical image from the .XRY container and the logical files from the .XRY logical images, however it requires you to use XRY to prepare the data first.  This procedure is done with XACT which is an included piece of software with XRY.  Once the .RAW or logical files are extracted from the .XRY container, an examiner is able to run the image through other commercial tools and parsers such as AXIOM.

Creating a RAW/BIN from an .XRY Physical

1. In XACT, open the extraction with the option, open a project.

Open a project

XACT Opening

2. When the extraction is loaded expand the project tree until you see the File system node.

File System Mode

3. Right click in File system and select the option Export > Node Data…

Node Data

4. Select where you want to save the file and name it with the extension .BIN

.BIN file

Creating a File Dump from an .XRY Logical

The first two steps for creating a file dump from an .XRY Logical are the same as for creating a .RAW from an .XRY Physical. Below are steps three and four for extracting the logical files and folders from a .XRY file:

3. Right click in File system and select the option Export > Export All Files…

Export All Files

4. Select where you want to save the files.

How to save files

Loading XRY Images into AXIOM

Once you’ve exported either the physical BIN or logical files from XRY into a more friendly format, loading them into your tool of choice is relatively straight-forward. To do so in AXIOM, open AXIOM Process, from the Evidence Sources window,

  • Choose “Mobile”,
  • Then either “iOS” or “Android” (depending on the type of device being examined),
  • “Load Evidence”,
  • Then select “Image”

Loading XRY Images in AXIOM

This will let you load the images created by XRY into AXIOM. From there, choose your options and artifacts and process the image like any other.

For more details on how to load other images into AXIOM, see the other blogs in the series: Cellebrite & Oxygen.