In the rapidly evolving field of digital forensics, mobile devices have become both a treasure trove of evidence and a significant challenge for investigators. With billions of smartphones worldwide, each containing potential evidence ranging from communications and location data to financial transactions and multimedia content, law enforcement and forensic professionals require powerful, reliable tools to extract and analyze this information.
MSAB XRY (pronounced “X-ray”) stands as one of the world’s leading mobile forensic solutions, trusted by law enforcement agencies, military organizations, and government bodies across more than 100 countries. Since its development by MSAB (Micro Systemation AB), a Swedish company listed on Nasdaq Stockholm, XRY has established itself as a de facto standard for securing digital evidence in criminal investigations worldwide.
What is MSAB XRY?
MSAB XRY is a comprehensive mobile forensic software suite designed to extract, decode, analyze, and report digital evidence from a vast range of mobile devices. Unlike consumer-level data backup tools, XRY is built specifically for forensic purposes, ensuring that extracted data is forensically sound, legally admissible, and presented in a format that investigators can efficiently analyze.
The software supports an extraordinary range of devices, including:
- Smartphones and feature phones (iOS, Android, and legacy platforms)
- GPS devices and navigation units
- Drones
- IoT (Internet of Things) devices
- Vehicle infotainment systems
XRY is not a single product but a comprehensive ecosystem that includes several specialized components:
| Product Component | Primary Function |
|---|---|
| XRY | Core extraction and decoding software |
| XRY Pro | Advanced solution for locked and encrypted devices |
| XAMN | Forensic analysis and visualization platform |
| XEC | Case management and reporting tool |
This modular approach allows agencies to select the capabilities they need while maintaining seamless integration across the entire investigative workflow.
The Evolution of XRY: Key Version Highlights
MSAB maintains an aggressive release schedule, typically delivering eight updates per year to ensure XRY stays ahead of new devices, operating systems, and security features. Understanding these updates provides insight into the tool’s capabilities and development direction.
XRY 10.7 (October 2023) – Laying the Foundation
Version 10.7 marked a significant milestone, introducing support for iOS 17 and Android 14 within weeks of their public releases. This rapid response to new operating systems is critical for forensic investigators who cannot afford to wait months for tool updates.
Key features introduced in this release included:
Optical Character Recognition (OCR) in Apple Photos: XRY began recognizing text within images stored in Apple Photos, making handwritten notes, screenshots, and document photos searchable within XAMN. This capability dramatically accelerates investigations where visual evidence contains written content.
Selective Extraction for Full File System (FFS): Perhaps the most significant workflow improvement, this feature allows investigators to extract data from specific apps rather than the entire device. What previously required 40-60 minutes for a full extraction can now be accomplished in as little as two minutes when only specific app data is relevant. This capability also addresses legal constraints in some jurisdictions where investigators may only extract evidence relevant to the specific case.
WhatsApp Chat Lock Decoding: When WhatsApp introduced biometric-protected “Chat Lock” features, MSAB quickly responded with decoding support, ensuring encrypted conversations don’t remain hidden from lawful forensic examination.
Berla iVe Import: Recognizing the growing importance of vehicle forensics, XRY 10.7 added support for importing Berla iVe files, allowing investigators to correlate mobile device data with vehicle telematics including locations, routes, gear shifts, and connected device information.
XRY 10.10 (June 2024) – Expanding Reach
By mid-2024, XRY had reached impressive scale, supporting over 47,000 devices, 480+ apps, and 4,600+ app versions.
Broader Android FFS Support: Version 10.10 added new exploits to the Android Full File System Consent Generic profile, dramatically expanding extraction capabilities for hundreds of new Qualcomm-based Android devices.
Drone Forensics Integration: As drones become increasingly common in criminal activities and accident investigations, XRY introduced dedicated drone import profiles. Investigators can now view flight paths, planned routes, and telemetry data within XAMN Pro’s specialized drone analysis tab.
Expanded MediaTek Support: Building on existing leadership in MediaTek chipset support, XRY added the MT6789 chipset (found in devices like the Unihertz Jelly Star) to its Android MediaTek Generic profile.
XRY 11.2.1 (November 2025) – Refining the Core
This release focused on improving core extraction capabilities for modern devices:
Enhanced FFS Extraction: Full File System extraction became available for a broader range of unlocked Android devices, with improved performance for newer MediaTek chipsets.
XAMN Source Verification: A critical feature for legal defensibility—investigators can now verify the exact source of artifact properties directly from SQLite databases in source mode. This transparency is essential when evidence must withstand court challenges.
XRY 11.4 (March 2026) – Breaking New Ground
The most recent major release at the time of writing introduces genuinely groundbreaking capabilities.
Native GPU Brute-Forcing: Password recovery traditionally required dedicated servers or external GPU rigs—resources many investigators don’t possess. XRY 11.4 changes this by tapping into the existing GPU power in standard workstations. Supporting NVIDIA, AMD, and Intel GPUs, this feature makes high-speed password recovery accessible without additional hardware investment.
GPS Device Extraction – Market First: In a significant expansion of scope, XRY now supports extraction and decoding from GPS devices. This capability is particularly valuable for maritime operations, border control, and search-and-rescue investigations where location evidence from dedicated GPS units (rather than phones) provides critical insights.
Cryptocurrency Evidence Access: As criminals increasingly use cryptocurrency to obscure financial trails, XRY 11.4 introduces expanded support for crypto wallet extraction and decoding. The software also searches device RAM to uncover crypto-related data including wallet seeds, transaction IDs, and wallet identifiers—evidence that might otherwise be lost when devices are powered off.
XRY Pro: Advanced Unlocking Capabilities
Standard XRY performs logical and file system extractions on accessible devices. XRY Pro addresses the more challenging scenario: locked and encrypted devices.
XRY Pro employs multiple techniques to access protected devices:
After First Unlock (AFU) Bypass
For many modern Android devices, XRY Pro can perform physical extractions with AFU bypass, particularly for Samsung devices with Exynos chipsets including the S9, S10, S20, and A-series models.
Android FDE (Full Disk Encryption) Bypass
The software provides enhanced extraction capabilities for older Android devices protected by Full Disk Encryption, offering new methods for bypassing these security measures.
Streamlined Brute Force Workflows
Version 11.4 introduced improved Brute Storm workflows with fewer clicks and clearer recovery paths, allowing investigators to prioritize brute-force attacks before extraction when appropriate—significantly improving overall extraction speeds.
MSAB states their goal clearly: “Using MSAB state-of-the-art security exploits, those phones are not unbreachable anymore”.
Forensic Extraction Capabilities
XRY supports multiple levels of data acquisition, each providing different depths of evidence recovery.
Logical Extraction
The most basic level of extraction, logical acquisition retrieves data that is readily accessible through the device’s operating system—contacts, call logs, SMS messages, and installed applications. While this level is less comprehensive, it is often sufficient for many investigations and can be performed quickly.
File System Extraction
Going deeper than logical extraction, file system acquisition accesses the device’s file structure, recovering data from application sandboxes, system files, and deleted records that may not be visible through standard device interfaces.
Full File System (FFS) Extraction
MSAB’s FFS capability provides the most comprehensive extraction available for supported devices. This technique recovers the complete file system structure, including:
- Deleted database records
- Application caches and temporary files
- System logs and diagnostic data
- Artifacts from encrypted containers (where keys are available)
Physical Extraction with AFU Bypass
The most advanced level, available through XRY Pro, physical extraction creates a bit-for-bit copy of device memory. When combined with AFU (After First Unlock) bypass techniques, XRY Pro can access devices that have been unlocked at least once since boot—a common state for devices seized during active use.
Platform Support and Device Coverage
XRY’s support matrix is among the most comprehensive in the forensic industry.
iOS Support
XRY provides rapid support for new iOS versions, often within weeks of Apple’s public releases. Version 10.7 added iOS 17 support in October 2023, and subsequent versions have maintained this responsive update schedule. XRY supports logical and file system extractions from iOS devices, with capabilities varying based on device model and iOS version.
Android Support
Android presents unique challenges due to device fragmentation, custom manufacturer implementations, and varying security models. XRY addresses this through multiple extraction profiles:
Legacy Device Support
XRY maintains support for legacy phones and feature phones that may still be encountered in investigations. This backward compatibility is a significant advantage when examining older evidence or investigating crimes involving individuals who use outdated devices.
App Decoding Support
With support for over 480 apps and more than 4,600 app versions, XRY decodes data from popular communication platforms, social media applications, and messaging services. Supported apps include:
- WhatsApp (including locked chats and edited message timestamps)
- Facebook and Instagram
- Signal, Telegram, and other encrypted messaging apps
- Email clients across major platforms
- Navigation and location history applications
- Cryptocurrency wallets
The XAMN Analysis Platform
Extracting data is only half the forensic process; making sense of that data is equally critical. XAMN (XRY Analysis) is MSAB’s companion analysis platform that transforms raw extracted data into actionable intelligence.
Key Analysis Features
Cross-Case Correlation: XAMN enables investigators to analyze data from multiple devices simultaneously, identifying connections, communication patterns, and relationships that might remain hidden when examining devices in isolation.
Visualization Tools: The platform provides graphical representations of connections, timelines, and geolocation data, helping investigators quickly identify patterns and anomalies.
Powerful Search and Filtering: With OCR capabilities (added in version 10.7), XAMN can search text within images, including handwritten notes captured in photographs.
Source Verification: Recent updates allow investigators to verify the exact source of artifacts from SQLite databases directly within XAMN, supporting evidentiary chain-of-custody documentation.
Drone Analysis Integration
XAMN Pro includes a dedicated drone analysis tab that visualizes flight paths, planned routes, and telemetry data—critical for investigations involving drone incidents, smuggling operations, or surveillance activities.
Performance and Comparative Analysis
Independent research provides valuable insights into how XRY performs against competing forensic tools.
A comprehensive study published in the Journal of Forensic Sciences (March 2026) compared XRY against Cellebrite UFED and Magnet AXIOM across multiple devices. Key findings include:
Artifact Extraction Performance
| Device | XRY Artifacts | UFED Artifacts | AXIOM Artifacts |
|---|---|---|---|
| iPhone 11 Pro | 6,542 | 8,539 | 4,220 |
| iPhone 13 Mini | 173,140 | 135,024 | 355,671 |
| Xiaomi Redmi A3 | 280 | 285 | 329 |
| Samsung Galaxy A32 | 15,007 | 28,214 | 79,088 |
These results reveal important nuances about forensic tool performance:
Artifact Volume Varies by Device: On the iPhone 13 Mini, XRY extracted more artifacts than UFED (173,140 vs. 135,024), while on the iPhone 11 Pro, UFED extracted more. This suggests that device-specific factors significantly impact extraction performance.
Higher Counts Don’t Always Mean Better Evidence: AXIOM’s significantly higher artifact counts on some devices were largely due to cache-based and WebKit-related data including extensive web history (32,614 entries) and SMS artifacts (9,101 entries). Researchers caution that “artifact volume alone does not necessarily reflect evidentiary value”.
Balanced Performance Across Android: On the Xiaomi Redmi A3, all three tools performed similarly (280-329 artifacts), suggesting that for certain Android devices, extraction capabilities are comparable.
Usability Evaluation
The study also assessed user experience using the System Usability Scale (SUS):
| Tool | SUS Score |
|---|---|
| Magnet AXIOM | 71.0 |
| Cellebrite UFED | 69.2 |
| MSAB XRY | 59.7 |
XRY’s lower usability score suggests that while the tool is powerful, it may present a steeper learning curve than competitors. This aligns with anecdotal feedback from forensic examiners who note XRY’s depth of features requires significant training to fully leverage.
The researchers concluded that “forensic tool selection should balance decoding capability, artifact provenance, and usability to ensure reliable and defensible digital evidence analysis”.
Licensing, Pricing, and Training
Licensing Model
MSAB employs a perpetual license model with optional annual maintenance. A customer forum discussion clarifies the specifics: “The XRY license is perpetual. If you buy it, then it will continue to work forever on the version of software valid at the time of expiry. In other words, you can pay for 1 year and then use it forever if you want to”.
However, mobile forensics requires staying current. Without an active maintenance agreement, investigators lose access to:
- Updates for new devices and operating systems
- New extraction exploits and techniques
- Support for new app versions
- Technical support services
MSAB releases approximately eight updates annually, making maintenance renewal a practical necessity for active forensic laboratories.
Pricing Examples
While MSAB does not publicly list standard pricing, a government quotation from 2024 provides real-world figures:
| Item | Quantity | Price per Unit | Total |
|---|---|---|---|
| XRY Logical & Physical License Renewal (1 year) | 9 licenses | $4,305.00 | $38,745.00 |
This quotation reveals several important details:
- Annual renewal pricing is approximately $4,305 per license
- The law enforcement agency was renewing 9 licenses
- The 1-year renewal period covered May 2024 to May 2025
- Volume purchasing (9 licenses) didn’t appear to receive quantity discounts at this price point
Training Costs
MSAB offers structured training programs to help investigators master the software:
| Course | Duration | Approximate Cost (EUR) |
|---|---|---|
| XRY Advanced Acquisition | 5 days | €3,495 |
| XRY Certification | 2 days | €1,280 |
| XRY Intermediate | 3 days | €1,850 |
| XRY Refresher | 1 day | €675 |
| Berla Certification (vehicle forensics) | 5 days | €4,500 |
These training costs are additional to software licensing and are generally required before agencies can establish internal certification programs.
Government Validation
The U.S. Department of Homeland Security (DHS) Science & Technology Directorate has published test reports validating XRY’s capabilities. Available reports include:
These government-endorsed test results provide additional confidence for agencies considering XRY adoption.
Integration with Vehicle Forensics: Berla iVe
Modern vehicles generate and store vast amounts of data, including location history, connected device information, and event logs. Recognizing the growing importance of vehicle forensics, MSAB has integrated support for Berla iVe files.
This integration allows investigators to:
- Import complete vehicle forensic extractions into XAMN
- Correlate vehicle events (gear shifts, door openings, speed changes) with mobile device data
- Analyze infotainment system data including connected mobile devices
- Create unified timelines spanning both vehicle and mobile device evidence
For agencies already using XRY for mobile forensics, adding vehicle forensic correlation provides significant investigative value without requiring separate analysis platforms.
Real-World Applications
XRY is deployed across diverse investigative scenarios worldwide:
Criminal Investigations: Law enforcement agencies use XRY to extract evidence from suspects’ devices, recovering communications, location data, and digital artifacts that establish timelines and connections.
Counter-Terrorism: Military and intelligence agencies employ XRY Pro’s advanced unlocking capabilities to access encrypted terrorist communications and planning documents.
Border Security: Customs and border protection agencies examine travelers’ devices for evidence of smuggling, human trafficking, or immigration violations.
Maritime Operations: The new GPS device extraction capability (introduced in XRY 11.4) supports coast guard and maritime authorities in human tracking, search-and-rescue, and border control operations.
Corporate Investigations: Private sector forensic teams use XRY for internal investigations, IP theft cases, and employee misconduct examinations.
Digital Crime Investigation: A comprehensive academic review notes that “forensic software tools like Cellebrite UFED, Oxygen Forensic Detective, XRY by MSAB, Magnet AXIOM… employ both physical and logical techniques to retrieve data from mobile devices. These advanced tools offer a structured approach to tackling digital crimes effectively”.
Strengths and Limitations
Key Strengths
Exceptional Device Coverage: With support for over 47,000 devices, XRY maintains one of the industry’s most extensive compatibility databases.
Rapid Update Cycle: Approximately eight annual releases ensure timely support for new operating systems and devices.
Comprehensive App Decoding: Support for over 480 apps with more than 4,600 versions covers virtually any application investigators might encounter.
Integrated Ecosystem: The seamless workflow from extraction (XRY) through analysis (XAMN) to reporting (XEC) eliminates compatibility issues found when mixing tools from different vendors.
Advanced Unlocking Capabilities: XRY Pro’s AFU bypass and GPU brute-forcing provide access to devices that might otherwise remain locked.
Government Validation: DHS testing and peer-reviewed research provide third-party validation of capabilities.
Limitations and Considerations
Usability Challenges: The System Usability Scale score of 59.7 (compared to 71.0 for AXIOM and 69.2 for UFED) suggests a steeper learning curve.
Variable Performance: Extraction performance varies significantly across different devices, with no single tool consistently outperforming competitors.
Cost Considerations: With annual renewals around $4,300 per license plus training costs, XRY represents a significant investment.
No Free/Lite Version: Unlike some competitors offering limited free versions, MSAB does not provide free or trial versions of XRY.
Comparison with Competing Tools
Mobile forensic examiners typically choose from three major enterprise-grade tools:
The choice between these tools often depends on specific agency requirements, existing infrastructure, and regional preferences rather than objective superiority of any single solution.
The Future of XRY
MSAB continues aggressive development of XRY, with recent releases pointing toward several strategic directions:
Expanding Beyond Phones: The addition of GPS device extraction and drone forensics signals MSAB’s commitment to becoming a comprehensive digital forensic platform, not just a mobile phone tool.
AI and Automation: OCR integration for image text recognition represents early steps toward AI-assisted analysis.
Cryptocurrency Forensics: Growing support for crypto wallets and RAM analysis addresses the increasing role of digital currency in criminal activity.
Improved Usability: Recognizing the usability gap identified in independent research, MSAB may prioritize interface improvements in future releases.
Hardware Optimization: Native GPU processing for brute-force attacks demonstrates MSAB’s commitment to maximizing performance from existing hardware.
