We’re proud to announce the first recipient of the Magnet Forensics Scholarship Program: Eric Dalla Mura, Detective Corporal at the Burlington Police Department in Burlington, VT. Eric worked with his Lieutenant to apply for the scholarship and subsequently devote time throughout the year for the free training and travel opportunities provided and we’re excited to see how he...

The post Announcing the First Winner of the Magnet Forensics Scholarship Program appeared first on Magnet Forensics Inc..

If you haven’t heard the news yet, Grayshift and Magnet Forensics have entered into an exclusive global technology and distribution partnership! That means it’s easier than ever to use GrayKey and Magnet AXIOM for all of your iOS investigations so you can obtain the best results. Who Can Buy GrayKey? GrayKey is available for purchase...

The post How to Get GrayKey from Magnet Forensics appeared first on Magnet Forensics Inc..

Magnet Forensics and Grayshift have partnered to provide law enforcement the tools they need to acquire and process the most data from iOS devices. This partnership is a result of our joint mission to help our law enforcement customers seek justice and protect the innocent.  For many years law enforcement agencies have struggled to acquire...

The post Maximizing the Partnership Between GrayKey and Magnet AXIOM appeared first on Magnet Forensics Inc..

We at Magnet Forensics are pleased to announce our partnership with Grayshift. At the core of this partnership is a shared commitment to helping law enforcement agencies seek justice and protect the innocent. Citizens may not realize, but the technologies that allow us to socially connect and conduct commerce with the touch of a smartphone...

The post Magnet Forensics and Grayshift, Partnering to Preserve Justice appeared first on Magnet Forensics Inc..

We’re bringing Magnet User Summit 2019 to The Hague on May 15 and registration is now open! Magnet User Summit 2019 is a chance for customers and partners to come together and learn about the latest in digital forensics and digital evidence management. Taking place in The Hague, Netherlands at the Hague Marriott Hotel, the...

The post Magnet User Summit 2019 is Coming to The Hague! appeared first on Magnet Forensics Inc..

The latest version of Magnet AXIOM is now available for customers to download! Either upgrade in-app, or head over to the Customer Portal to download AXIOM 2.10. In this release, we’ve focused on artifacts. We’ve introduced Slack for iOS and Android as well as the Microsoft Outlook app, also for iOS and Android. Learn more...

The post Slack and Microsoft Outlook Among the New and Updated Artifacts in Magnet AXIOM 2.10 appeared first on Magnet Forensics Inc..

Continuing our look back on the resources we’ve offered in 2018, this week, we’re highlighting the webinars, white papers, videos, and blogs that are focused on Internet crimes against children (ICAC) investigations. 2018 marked some major developments in Magnet AXIOM’s ability to support ICAC investigations. Adding full disk decryption using a generated password list and support for FileVault2...

The post A Look Back at 2018: Resources for ICAC Investigations appeared first on Magnet Forensics Inc..

Computer memory is more than just another digital data source in an investigation—it’s a potential trove of actionable intelligence. Faster than acquiring a hard drive and composed of no more than a few gigabytes (compared to potentially terabytes of data), evidence found in memory can focus and shape interviews of compliant victims, witnesses, and suspects,...

The post Recorded Webinar: Memory Analysis for Investigations of Fraud and Other Wrongdoing appeared first on Magnet Forensics Inc..

An updated version of the free Magnet AXIOM Wordlist Generator tool is now available for download. The long-standing roadblock to examiners when dealing with iOS devices, has been the device’s handset lock code. There are several types of passcodes that an examiner may come across when dealing with an iOS device including: 6-Digit Numeric Code...

The post Utilizing AXIOM Wordlist Generator to Optimize Handset Lock Code Breaking appeared first on Magnet Forensics Inc..

There is a current misconception by many in the mobile forensics field that every acquisition method conducted on a mobile phone is specific to that model. Quite often, I will get requests from examiners asking for a list of mobile devices our tools support. I will often reply with a list of the models we do physical recovery images on and then say we’ll support a logical acquisition of any iOS or Android device. The responses to this last part range from confusion to flat-out disbelief.

In reality, the majority of methods, specifically around logical or file system acquisitions are not specific to any model of phone but work on a majority of devices. Model-specific profiles and images only start to come into play when you’re acquiring physical images via recovery image or bootloader and even then, not all physical extractions are model-specific as well. There are many exploits dealing with entire chipsets that might be limited to that chipset, but works across any device that contains the same chipset hardware (see Qualcomm EDL methods).[i]

Examples of Android Acquisition

Let’s take a look at some Android examples to see what I mean.

Most logical or file system acquisitions done through Android devices will either use ADB or attempt to install an agent to pull provider data (or both.) These methods work for most Android devices since Android 2 (when ADB was added) and while there are some minor quirks between software versions, there’s nothing in the device hardware limiting these methods. Occasionally, you’ll come across a device that does not have ADB installed and the only method available is via an agent or installing an application to pull data from the device (some phones in Asia remove ADB from their packages preventing the ability for your forensics tool to do an ADB backup on the device). However, as long as your tool attempts both of these methods, you should still get something from the device.

In many mobile forensics tools, a list of supported devices is provided to identify devices that the tool has built a profile for and included support for in their product. This acts as a great resource for examiners to look up the current device they’re examining and to see what type of support they’ll expect to get. Another great benefit of the device agnostic approach is that if a new device comes to market, it can still work with your forensics tools right away without requiring a profile to be built for that specific model. This can also help with less popular models or devices that are slow to be supported due to its lack of popularity.

Even when a device is listed as supported, not all supported methods are created equally. Obviously getting a physical image either via software methods (recovery/bootloader) or hardware (JTAG/ISP/Chip off) is best, but not always available. Many physical extractions allow bypassing of passcodes and lock screens but don’t often help with encryption. Full disk encryption often prevents or hinders many physical methods leaving only logical methods available to many newer devices that ship with encryption on by default and this trend will continue to grow as encryption by default becomes standard for device manufacturers. Even logical methods vary in what they can recover as they’re often limited to what the API gives you access to. App developers choose to be included in a backup or not and they can even choose what files get backed up or not.

Other logical methods such as Android OTG, won’t work on every device but the limitation is in the software more so than the hardware or specific model. The OTG method was patched in late 2016[ii], so depending on the software version of your device, this method may or may not be available, it has nothing to do with the model of device. For example, if you’re investigating a Samsung Galaxy S7, these devices originally shipped with Android 6 (Marshmallow) and OTG was an available method. Many of these devices have been updated since (often depends on the telco carrier to choose when updates get approved and pushed out) to various versions of Android 7 or 7.1 (Nougat). So, if you’re running the latest version of Android on your device, that method won’t be available regardless if that model was previously supported.

Don’t Rely Solely on a List of Supported Models

I recently saw on Twitter that someone is building a consolidated list of models supported by various forensics tools and hardware boxes (https://www.digitalforensiccompass.com/) which looks to be the start of a good resource. As with anything in DFIR, your investigation will dictate your needs. Sometimes you’ll need model specific images or exploits to get physical access to a device or bypass a passcode, other times, a device agnostic logical image with ADB is the only option available to you. There’s nothing wrong with having a list of supported models attached to a given tool as it can be a helpful resource, however don’t solely rely on those lists as the basis of whether a tool is going to be successful in getting you the information you need in your investigation. It’s not as black and white.

There are many acquisition methods that work across models and operating systems, understanding how those methods work will help you better understand the type of data you will get in return. We are taught as examiners to investigate and understand how our tools work and how we use them in our investigations because we may need to testify to the methods to our stakeholders or in court. An understanding of the tool acquisition methodology can also help you better understand how to approach mobile device acquisitions in the future. This helps you find the best method(s) and tool(s) for the device you are examining.

Feel free to reach out if you have any questions or comments.

Jamie.mcquaid@magnetforensics.com

[i] https://alephsecurity.com/2018/01/22/qualcomm-edl-1/

[ii] https://www.xda-developers.com/android-otg/

The post Device Agnostic Mobile Acquisition – Who Needs Model Numbers? appeared first on Magnet Forensics.

In our two recent webinars, “Using Technology to Find Information Faster and Build Stronger Cases” and “Finding the Best Starting Point for Insider Threats and Other Workplace Investigations”, members of our product management team described common practices and, specifically, how the latest Magnet AXIOM features offer investigators a defined process and appropriate detection/investigative techniques.

Attendees to both webinars asked a lot of great questions, and we wanted to take some time on the blog to go through and answer them.

The Basics

What RAM, CPU, and GPU specs do you recommend for a computer running AXIOM?

We recommend a CPU of 16 logical cores and 32 GB RAM. If you add cores to your CPU, plan to allocate at least 2 GB of RAM for every processing core in your system.

While it’s possible to run AXIOM on a basic system, with a CPU of 4 logical cores scan and 8 GB RAM, these minimum requirements might render poor imaging times in AXIOM Process, as well as slower actions in AXIOM Examine with larger data sets.

GPU support, meanwhile, was added for image classification in Magnet.AI as of AXIOM v2.2. Learn more in our blog post about the version here.

More information, including additional specs, is available on pages 13-14 in the AXIOM User Guide.

To optimize performance, what is the best hardware configuration?

There are a couple of different options to reduce any disk I/O bottlenecks:

• Run most active cases on a local SSD, and then store/archive completed ones on a RAID or external storage.
• Not required, but helpful to boost I/O, is to keep evidence images on one drive and your case on a separate drive.

Is it safe to open a case created with AXIOM 1.x in AXIOM 2.x?

AXIOM handles backwards compatibility for cases that were created on older versions of the software and opened in a newer version of AXIOM Examine.

Likewise, is it safe to open a case created with IEF in AXIOM?

The database structure for IEF is different from AXIOM, so you will need to reprocess an IEF case to open it in AXIOM.

Do you need a hardware write protect to make an image with AXIOM?

While it is not mandatory to use a hardware write blocker, it is certainly recommended as good forensic procedure. AXIOM should work seamlessly with most popular HW write blockers like Tableau, CRU, etc.

If I can’t remove the SSD from a laptop, what option do I have to examine the data in it using your tool or any other tool?

If you can’t remove the drive and you don’t have an adapter, you should plan to do either a live acquisition or boot disk to image the drive. (This is pretty common in Macs.) Jamie McQuaid, our Forensic Consultant, recommends Sumuri’s Recon Imager for this type of work, in addition to many Linux disks that will do similar things.

Loading and Working with Images in AXIOM

Can you add multiple images / pieces of evidence for multiple custodians? If yes, then how it will show under top artifact categories?

Yes, multiple forensic images or pieces of evidence can be added to Magnet AXIOM. They can be added in either a single initial scan, or more than one scan using the “Add New Evidence” post-processing workflow.

Following processing, each piece of evidence will be represented with its own unique evidence widget in the center column of the Case Dashboard.

Can you add or change images at any time, or only on the front end?

Evidence can be added to a case at any time. Removal is not currently possible, but is functionality we plan to add in a future release of Magnet AXIOM.

How do you bring in Oxygen and Cellebrite images?

Go to Mobile, select either iOS or Android as appropriate, then select “Load Evidence” and “Image”. Finally, select the forensic image you would like to load.

For a more detailed walkthrough of each process, see our blog posts:

• Loading Cellebrite Images into Magnet AXIOM (Note: as of AXIOM 2.2 we now support UFD files!)
• Loading Oxygen Images into Magnet AXIOM
• Loading XRY Images into Magnet AXIOM

Will AXIOM process the keychains we get from GrayKey? If so, what’s the best way to import and view them? Can you use a keychain from GrayKey to attempt to identify possible passwords?

Yes, AXIOM will support the GrayKey keychain file. Be aware that this is slightly different than either a standard keychain plist, which is included in a regular iOS backup, or the keychain database found on jailbroken phones.

Working with AXIOM 2.0

Will the Volatility integration capture password hashes from memory?

We’ll include this in a new release of Magnet AXIOM coming soon.

Is there a de-duplicating function for documents and email?

AXIOM does de-duplicate documents and email, but our de-duplication focuses on artifacts recovered using a variety of techniques we employ during the image search. We currently do not de-duplicate documents and emails stored in different locations within the images.

Are PDF documents OCR’d during initial processing?

Not today, but optical character recognition (OCR) is functionality we plan to add to AXIOM this year.

Can the examiner select specific information from a database and bookmark it independently of the database?

Not today, but we also plan to add this functionality to AXIOM this year.

Is Bitlocker Recovery Key extraction supported in the memory analysis?

We’ll add this in a new release of Magnet AXIOM coming soon.

Where in Categorization can you select a level percentage of confidence match?

Magnet.AI currently filters categories by leveraging tags. We may look to add some additional flexibility around percent-based filtering in a future release.

Can AXIOM conduct malware analysis with the Volatility integration?

AXIOM will examine the host computer and memory for malware or other suspicious activity. However, it doesn’t do static or dynamic analysis on the malware you discover. The best practice, Jamie says, would be to export the malware out of AXIOM and use dedicated tools such as Cuckoo Sandbox, Ollydbg, or IDA Pro to actually analyze the malware.

How does Case Dashboard impact Portable Case?

At this time there is no impact, although we’re looking at extending the Case Dashboard to Portable Case. Most of all, we want to be sure to balance the presentation of good information that Portable Case currently provides, without overwhelming stakeholders with information.

The post How AXIOM Technology Helps Builds Stronger Cases from Start to Finish: Webinar Q&A appeared first on Magnet Forensics.

New Magnet AXIOM Version Available

Magnet AXIOM 1.1.1 is now available with the ability to create Custom Artifacts using Python — adding a new programming language to Custom Artifacts, in addition to previous support for XML.

Offering support for Python, as well as XML, gives examiners at every level more options when building their own Custom Artifacts. XML is a great tool for non-technical or beginner users, while Python development is suited to someone with a bit more development experience.

Both development environments allow examiners to build artifacts that will recover data from across an app – messaging, location, browser interactions, etc.

The Custom Artifacts feature in AXIOM makes it easy to seamlessly integrate custom-made artifacts into any AXIOM case.

Once a Custom Artifact has been built, examiners can now choose to share their work on our new Artifact Exchange! (Read our blog post about the Artifact Exchange.)

Additional Features in AXIOM 1.1.1

In addition to our support for Python development, AXIOM users will benefit from some other updates in our latest software version, Magnet AXIOM 1.1.1 including:

• Searching 7-Zip Containers — AXIOM will now search 7-Zip files as backlog items. First AXIOM decompresses the files and then searches the contents for recoverable information
• Filtering Conversations in Column View — Quickly move from a single chat message to filter for all other messages in that conversation

AXIOM customers can access all release notes in the Customer Portal. 

Like what you’re seeing in AXIOM? Try our industry-first use of machine learning, Magnet.AI to narrow results quickly in child exploitation cases. Get your free trial of AXIOM or request an AXIOM Demo today!

The post Magnet AXIOM’s Custom Artifacts Now Supports Python Development appeared first on Magnet Forensics.

Here at Magnet Forensics, we greatly value our industry partnerships, so you can imagine how thrilled we were when Griffeye approached us to post an opinion piece (pretty on the nose one too, if you ask us…) on our blog.

Our relationship with Griffeye has grown over the last year and we are currently readying the next leg of our global roadshow to showcase the power of integrating tools in an examination – and the importance of vendors providing true integration. (Learn more about the tour here.) Recently Johann Hofmann, Head of Griffeye, spoke with our own Founder and CTO Jad Saliba (you can read that Q&A here) about the industry and the importance of integration.

Now Johann offers his own insight on the need for the industry to think differently about their tool kits, and to expect more from software and tools providers when it comes to setting up investigative teams for success.

Johann considers the difficulties that investigators and their teams face working in silos even as they try to cope with increasing volumes of evidence and heavy caseloads. He believes it’s a challenge that technology providers have a duty to address. To give the power back to the users and help them get better and quicker case results.

So long to the silo: It’s time to put investigators back in control

Working in silos is a well-recognized problem within many organizations and information systems. These silos end up isolating people and projects, negatively affecting workflow and the chance of success. In my own experience, and from speaking to users, they’re also one of the main obstacles for law enforcement investigators and their teams as they look to share workload, information, and expertise – and ultimately solve cases.

So what exactly are we dealing with? Let’s break it down to three common types of silo that users and their teams often seem to experience:

1. The User Silo

It’s an all too familiar story. A single user is left on their own with all the case information, specialist experience, and heavy workload. Not to mention all the responsibility and stress of achieving a vital result under time pressure, even when trying to solve the most horrific crimes such as identifying victims of child sexual abuse.

1. The Tool Silo

Over just a few short decades, our digital society has evolved at a mind-boggling rate. Digital crime has kept the same dizzying pace. The seized data was once often just small amounts and quite basic, meaning one or two computer forensic tools could do the job. But the digital information seized today is very different. A whole range of specialized tools is required to achieve results. Unfortunately, the concept of interoperability (i.e. tools sharing data) is not something that has been encouraged by the majority of the tool providers so far. So what happens to the case and your workflow when the information is stuck in one tool? A tool silo means you aren’t going to get the results your hard work deserves – and that can even mean crimes going unsolved. 

1. The Information Silo

This is a combination of the two previous silos – and far too often the reality for many law enforcement investigators. With data that is stored in the tool rather than centrally and is difficult to export and share with other users, there is even less ability to share information, specialist experience, and workload to relieve the physical and mental burden on individual investigators. There’s even the risk of information being lost as you share it from one tool to another. The result? Increased stress and frustration as cases are harder and take longer to solve. And perhaps many cases never get fully closed because you are not detecting all the clues and connecting all the dots.   

Escaping the silo – The role of technology providers

These silos can seem like an impossible challenge. But where there’s a will there’s a way. Because as technology providers, we are partly responsible for creating this problem due to us driving a business model that closed the users into proprietary tools and formats. We can find solutions that would help investigators escape the silo and make the job easier and more rewarding. If we could give more users the best, fully integrated tools, along with the ability to share information, experience, and workload with other specialists, we can help deliver a far smoother and more effective workflow. And, most importantly, far better and quicker results.   

It’s my belief that this collaborative and integrated approach that helps teams move through their cases quickly is as important as building great tools in the first place. I’ve witnessed that  first-hand while working with Project VIC and our friends at Magnet Forensics. With an open approach to helping each other and ultimately the users for the greater good, I’ve seen how building seamless and automatic integration between technologies really sets a new standard. Letting investigators tell a complete evidence story and uncover the truth. Ultimately, that’s what it’s all about.   

It’s time for the industry to say goodbye to the silo once and for all – and embrace the opportunities to share the load and work better together. As technology providers and investigators. We will continue to work with partners such as Magnet Forensics to find new points of integration for our solutions, like the recent updates made to Magnet AXIOM that allow investigative teams to export evidence to Griffeye and then re-import the newly categorized data back into AXIOM to create a complete and comprehensive report.

Breaking down silos and finding points for true integration will fundamentally help our customers build stronger cases and find more evidence.    

The post Guest Post: It’s Time to Tear Down the Silos – The Power of Integration appeared first on Magnet Forensics.

We all know the forensics industry needs to be credible and reliable to have its necessary impact in the courtroom. Magnet Forensics recently launched an expanded training program and its first certification – the Magnet Certified Forensic Examiner (MCFE). To build an industry-leading training program, Magnet Forensics brought Chuck Cobb on board as Vice President, Training. We took a minute to sit down with Chuck and learn what it takes to build a top notch training and certification program.

Magnet Forensics Blog: Why is a certification program so important to Magnet Forensics, and the forensics industry in general?

Chuck Cobb: At Magnet Forensics, we know how important it is to show accreditation and add to the credibility not only of the products, but most importantly of the examiner. In a courtroom, the examiner, the judge, the lawyers, the jury – everyone needs to have confidence in the findings and the methods and we want to ensure we are helping our customers with that high level of credibility through a certification program.

The value of certification in the tech sector has skyrocketed in recent years. A key factor is the dynamic state of technology as a whole. What I mean by that is, traditionally you could predict a candidate’s ability based on post-secondary educational success and experience. But as technology progresses, it’s increasingly difficult for colleges and universities to quickly adjust curriculums to match the latest trends in technology. This has opened the field to private sector companies who can remain flexible to fill the accreditation space.

We all know that within the digital forensics community the impact of the work is extremely powerful. Quite literally, the freedom of an accused criminal can hang on the examiner’s findings. This responsibility demands that examiners possess, and can display, skills that are current, effective, and proven. A quality certification provides this.

MFB: What are the must-haves for a successful training program?

CC: A successful training program is built around curriculum that delivers both technical knowledge and hands-on skills used in the student’s daily work. It is imperative that you build the courses with a solid understanding of your audience and their needs and workflows.

For our specific student: the forensic examiner or investigator, we know that digital evidence must be handled in a precise manner built around methods that protect the integrity of the media/data to be examined, and a quality training program delivers training on proven and accepted best practices surrounding the handling of digital evidence.

I also want to note that a training program will only ever be as good as the people building it and running it. At Magnet Forensics, we have a staff of proven trainers who have worked real world investigations using our tools as well as other company’s tools. Our team knows how to go about finding and explaining forensic artifacts, and we build that know how into our course content. That content is delivered with the same sense of importance and skill the team has used in the field to close cases.

MFB: What are the pitfalls that people need to avoid when looking into training programs?

CC: If the training program you are looking at is a vendor-neutral program, you want to look at established leaders who have built their programs around best practices. Look at what SANS, NW3C, DCTIA and IACIS are doing, to name a few.

When exploring vendor-specific programs, people need to look for a mix of theory and practice – one or the other will not really show a depth of expertise. I would recommend that examiners look for certifications for tools that integrate into their regular workflow. Read reviews and ensure that the certification process is not handheld by the vendor – make sure the process itself looks and feels credible.

MFB: What can people expect from the training and certification programs from Magnet Forensics?

CC: Magnet Forensics has always focused on user input and working with our customers when building any product, and our training program is no different.

One of the great things I’ve learned about Magnet Forensics is that there is an openness to look at problems from different angles and find new ways to use our software to solve those problems. Growing our training and certification programs with that spirit of innovation, problem-solving, and doing good will help us maintain relevance and incorporate new standards.

When you’ve gathered industry experts who’ve worked investigations and been involved in the training of literally tens of thousands of forensics examiners, the results will set a new high watermark for the industry.

MFB: With the launch of Magnet AXIOM, how do you see Magnet Forensics’ training program evolving?

CC: Magnet AXIOM is a powerful tool, and as a company we are eager to show the forensic community how it can impact your investigations. When launching a new product and building a training program, it’s important to strike a balance between enabling new users and supporting existing ones.

We know there are examiners out there still relying on the power of IEF to conduct their investigations. Our current training line-up provides these users with the skillset and know-how to confidently support their findings and demonstrate their proficiency in the use of IEF. When it comes to Magnet AXIOM, we are working to build a new training curriculum that will instill the same level of confidence and knowledge in our users.

MFB: How should people reach out to your team for more information?

CC: Simple! Email us anytime at training@magnetforensics.com.

The post Q&A: Chuck Cobb, Magnet Forensics’ New VP of Training appeared first on Magnet Forensics.

Magnet Forensics has joined forces with Passware to provide full disk decryption (FDD) to our customers. 

Coming soon – Forensics examiners will be able to analyze content from drives running encryption software like BitLocker, TrueCrypt, and PGP in Magnet AXIOM. AXIOM is growing like a weed this year and the addition of full disk decryption answers a direct request from many of our customers. 

We knew we wanted to provide full disk decryption capabilities, and it made perfect sense to work with the outstanding team at Passware to leverage their expertise in this area and integrate some of their technology into ours.  

Free Integration of Passware

Passware Kit Forensic is a complete encrypted electronic evidence discovery solution from Passware. AXIOM now includes Passware decryption technology at no additional cost to the customer. There are no hidden fees here. There are other encryption technologies that Passware sells that are above and beyond the cost of AXIOM, but our implementation of FDD is included. 

And this is only the beginning! We are continuing to work with Passware to integrate more FDD technology into AXIOM and increase support for popular encryption tools. 

Stay tuned! In the meantime, read the press release for more details. If you enjoy our blog, please subscribe and be alerted to new posts and information. Just enter your email and click the Subscribe button on the right-hand side of this page!

The post Who’s got Full Disk Decryption? Magnet Forensics Does appeared first on Magnet Forensics.

When we announced the Magnet Forensics Scholarship Program last year, we did so with the intention to give promising law enforcement officers an opportunity to get a head start in digital investigations. Patrol officers, detectives, and others who want to explore this career can apply for a scholarship to receive:

• Unlimited access to world-class digital forensics training for one year.
• The opportunity to obtain the industry-leading Magnet Certified Forensics Examiner (MCFE) digital forensics credential.
• A free one-year Magnet AXIOM license.
• A trip to the Techno Security & Digital Forensics Conference 2019.

But how might you go about nominating an officer or detective to participate? Whether you’re starting a brand-new lab or building on what you already have, we wanted to offer some tips on what to look for in selecting the right person to train.

How to Identify a Candidate (Including Yourself)

The best Magnet Forensics Scholarship Program candidates have a number of characteristics in common:

1. They ask questions, all the way from academy training up through field training and beyond. They’re interested in how evidence is stored on a device, how to preserve digital evidence, why forensic examiners have the requirements they have, and what kinds of evidence is available to help them build their cases.
2. Digital situational awareness. They know the relevance of digital evidence and its place among more traditional forms of evidence and investigation, and they think in terms of the “digital crime scene.” They ask whether manipulating the device in any way will change or destroy evidence, and they understand that any electronic device might store data—even if it’s not one they commonly see or submit to their lab.
3. They’re driven by the oath they swore to defend their community, which they know extends into the digital world—online and offline. Your next digital forensics expert could be the school resource officer who coaches kids on how to stay safe from bullies and predators, or the detective who counsels battered women about digital survival, or the street cop who knows to check the phone for distracted driving evidence after every traffic collision.
4. Leadership candidates. Law enforcement leaders need to be well-rounded, and they also need to be prepared to guide future generations of officers as technology continues to evolve. Supervisors and command staff who have a solid foundation in digital evidence are in the best position to provide this guidance. If you’ve pegged an officer as leadership material because of the way other officers turn to them for advice and support, as well as the other characteristics in this post, nominate them for our scholarship program.
5. Openness to different career possibilities. With digital forensics skills, the possibilities are limitless. You might end up investigating fraudsters or cyberterrorists for a federal agency or corporation, or remain in law enforcement managing your own lab.

Submit Your Nominations

If you or an officer you know are currently performing a non-technical role and would like to explore future career opportunities in digital forensics, then this scholarship program is for you—your chance to get the tools you need to get started in digital forensics, without affecting your department’s budget.

Fill out the form on this page to submit your nomination and tell us why you’re interested in pursuing a new career in digital forensics. You can also send your resume to ScholarshipProgram@magnetforensics.com with a letter of recommendation from your leader with your submission.

All entries are due by Sept. 30, 2018 and we’ll reach out to the winner once they are chosen.

The post Identify – and Help Out – Great Digital Forensics Candidates in Your Agency appeared first on Magnet Forensics.

An updated version of the free Magnet AXIOM Wordlist Generator tool is now available for download.

The long-standing roadblock to examiners when dealing with iOS devices, has been the device’s handset lock code. There are several types of passcodes that an examiner may come across when dealing with an iOS device including:

• 6-Digit Numeric Code
• 4-Digit Numeric Code
• Custom Numeric Code
• Custom Alphanumeric Code

When dealing with devices running 4 or 6 digit PINs, a standard brute-force style attack is usually feasible. In 4-digit codes you would be facing 10,000 possible combinations while 6-digit codes ramp the difficulty up to 1,000,000 combinations.  The true test comes when devices are utilizing a custom numeric or alphanumeric passcode. In this case, users can specify how many characters they’d like to use.

Apple has more recently helped its users by “assisting” them in picking a more complex passcode. If a user tries to set a 1-3 digit custom numeric passcode, Apple warns the user that the passcode is too easy and will not allow them to set it. Once the user specifies a 4-digit passcode, it still recommends that the passcode could be easily guessed, but will allow the user to use it.

With the release of GrayKey, brute-forcing these custom numeric and alphanumeric passwords became possible to examiners again, however these tools require a good word list in order to be successful. Since AXIOM has the ability to generate wordlists from generated cases, we quickly realized how our recent partnership could take this one step farther to help out the forensic community.

With AXIOM Wordlist Generator 1.1, we can not only continue to export wordlists from generated AXIOM cases, but now can actually optimize those wordlists for use with the GrayKey device. The logic that it follows will walk through the wordlist and reorganize it, prioritizing on the words that meet the following criteria:

1. Numbers only, 4-6 characters
2. Letters and numbers only, 4-8 characters
3. English dictionary words, 4-8 characters
4. Everything else

This will allow user to target more likely possibilities first, but still eventually working their way through all of the words recovered from the AXIOM Wordlist Generator.

So how can we as examiners maximize the data we’re using? Simple. We think about how people use passcodes. Even a security-minded individual may use the same passcode or PIN on more than one service of site. Especially seeing as this key may need to be entered multiple times per day to unlock a device, users will likely choose something they can easily remember as well. In order to generate a great wordlist, examiners simply need to turn to the artifacts that AXIOM already handles! Some examples of great source data include:

• iOS Keychain Data
  • Keychain data extracted from AFU or BFU devices make a GREAT wordlist piece as any saved passcodes from the device may be duplicated for the user’s lock code.
• Web Related Form/Login/Autofill Data
  • Saved form data from modern browsers may contain valuable information about where our user logs in.
• Cloud-Stored Passcodes
  • If an examiner can gain access to a user’s cloud account from the acquired keychain data using the GrayKey they may be able to extract all of the stored passwords as well.
• Documents
  • Users may keep passwords in documents or databases on their system as opposed to the old-school “sticky note” that could contain passwords or valuable dictionary words.

Simply put, run ANY available evidence in your case (computers, other mobile extractions, USB drives, cloud data, etc.) through AXIOM in order to generate as complete of a wordlist as possible.

To enable the AXIOM Wordlist Generator (or AWG as many examiners lovingly call it) functionality for GrayKey optimization, simply press the checkbox in the main interface. This will still pull all the recovered words out into a list, but will reorganize them by the logic previously mentioned above. This job runs at the end of the wordlist export, so it will add a small amount of time to the end of the AWG text file generation.

Once your text file is generated, simply load the list into the GrayKey interface and allow it to run through your wordlist! We hope this new functionality will continue to empower the community to gain access to devices when it is needed and look forward to hearing any feedback!

The post Utilizing AXIOM Wordlist Generator to Optimize Handset Lock Code Breaking appeared first on Magnet Forensics.

We’re pleased to announce a new solution for digital forensics labs to get the most out of their forensics tools: Magnet AUTOMATE. AUTOMATE allows labs to complete their investigations faster by powering a repeatable forensic workflow that minimizes downtime and maximizes efficiency.

At Magnet Forensics, we’ve been aiming to help digital forensics labs focus their energies on the tasks that require their expertise—such as analysis and review—rather than the repetitive and clear-cut jobs like imaging and process.

Magnet AUTOMATE lets labs orchestrate a repeatable workflow with Magnet AXIOM and any other commercial tool or custom script that has a command-line interface. This new standardized workflow eliminates hours of downtime between each step in the investigation and can deliver evidence within 48 hours on every case. 

How Magnet AUTOMATE Works

With the AUTOMATE control panel, examiners can visually map out a workflow—containing multiple tools, python scripts and simple java applications—into a set of repeatable steps to be taken for each case type.

Once your workflows are designed, Magnet AUTOMATE leverages existing lab hardware and server space to process evidence 24/7. AUTOMATE can also run on multiple workstations simultaneously, enabling examiners to complete investigative steps in parallel. This means that things like processing with custom scripts and creating exports from your AXIOM case can be done automatically instead of requiring examiners to come into the lab—an interaction that sometimes halts progress and create hours of delays.

The whole workflow is customizable to maximize the benefit to the team at hand, all while allowing for proper procedures that follow specific industry standards.

All told, AUTOMATE has been shown to help complete up to six times more cases and deliver evidence for review within 48 hours.

“Our Team is Completing More Cases”

A large metropolitan UK police agency have seen results with AUTOMATE. As a Senior Digital Forensic Specialist for the organization says:

“Magnet AUTOMATE enables our team to deliver a guaranteed service level for all child abuse cases, according to a management-approved workflow, Because time-to-evidence is now guaranteed inside 48 hours, investigators can identify and act on relevant material quickly, examiners are freed from repetitive tasks, and our computing power is being utilized 24 hours a day, 7 days a week. Our team is completing more cases—in less time and at lower cost—so we can focus our efforts on the challenging areas that require our expertise.”

Learn More about Magnet AUTOMATE

Think your lab may benefit from Magnet AUTOMATE? Head over to our Magnet AUTOMATE page to learn more about the solution and to request more information.

We’ll also be hosting a special webinar on Tuesday, April 16 at 11:00AM & 1:00PM ET where we’ll go in depth on AUTOMATE and answer any and all questions you may have during a live Q&A. Register for the webinar here.

The post Announcing Magnet AUTOMATE, a New Solution to Help Labs to Complete Investigations Faster appeared first on Magnet Forensics.

Magnet AXIOM 2.9 is now available for download! Read more about what’s included in the latest release of AXIOM, including enhanced custom artifact support, new logical acquisition options for Android, and updates to G Suite support.

Try it for yourself now! If you’re a customer, download AXIOM 2.9 right now either in-app or in the Customer Portal. If you want to try AXIOM 2.9 for yourself, request a trial today.

Enhanced Custom Artifact Support

In addition to the support we’re constantly providing for new artifacts with every release, AXIOM 2.9 will provide you with a big expansion on its custom artifact capabilities. Because of the sheer number of possible artifacts you may run into, there will be times where full native support is not yet available.

These new capabilities will put more control in your hands as you can specify file extensions or file signatures (for example CAD drawings or Photoshop drawings) for artifacts without native support.

An Excel file with custom specifications can be launched for editing within AXIOM and those specifications will be available for every case file. Hashes of the data recovered will be provided along with some basic de-duplication as well as timestamp and location information for where these were found.

More Logical Acquisition Methods for Android

Get more information and artifacts from more Android devices with two new logical acquisition methods that have been added to AXIOM 2.9.

The new methods are available through the ADB (unlocked) device workflow and will enable a logical extraction from Android devices where possible.  This includes rooted devices, or Android 5, 6, and 7 devices without the December 2016 security patch.

Recover G Suite Calendar Events

Adding onto our previously released support for G Suite, AXIOM Cloud users can now also recover calendar events stored in G Suite — helping you collect and process a full set of user data from a G Suite account during corporate investigations.

New and Updated Artifacts

We’re always bringing new and updated artifacts to each release of AXIOM. Here’s what’s included in AXIOM 2.9:

New in Android

• Samsung Browser
  • Recover information from the Samsung Browser on Samsung Android mobile phones, including web history and visits, media history, downloads, cache information, cookies and auto-fill information, etc.
• Reddit
  • Get recently viewed sub-reddits and account information.

New in iOS

• KnowledgeC (App Intents + Media History)
  • Obtained through a GrayKey image, recover information about the type of intent taken, along with the action and any metadata and associated information as well. Also, recover information about media (video and audio) that has been played on the device.

New in All Platforms

• Encrypted files
  • An entirely new implementation leveraging Passware‘s technology to find common encrypted file types. This artifact vastly improves the performance from the previous implementation, while also reducing false positive results.

New in Windows

• Edge, Chrome and Firefox
  • Recover information about add-ons and extensions that were installed for the Microsoft Edge, Chrome, and Firefox browsers. With the Edge browser, we have enhanced support for recovering and attributing browsing history, as well as adding support to recover top sites, typed URLs, favorites and reading list information.
• Your Phone
  • Allows for attribution of pictures found on a computer which were received via the Your Phone sync application, as well as device sync settings and information.

Updates

• Chrome (Android)
• SMS/MMS (Android)
• User Info (Android)
• Android Email (Android)
• Events (Android)
• Snapchat (iOS)
• Kik (iOS)
• Locations (iOS)
• Call logs (iOS)
• Instagram (iOS)
• iMessage (iOS)
• User Accounts (Windows)
• Skype (Windows)
• Windows Timeline (Windows)
• Chrome (Windows)

If you’re already using AXIOM, download AXIOM 2.9 over at the Customer Portal. If you want to see how AXIOM 2.9 can give you a better investigative starting point, request a free 30-day trial today!

The post Magnet AXIOM 2.9 Includes Enhanced Custom Artifact Support and New Android Acquisition Methods appeared first on Magnet Forensics.

by Chris Vance, MCFE, Magnet Forensics Manager, Training Curriculum Development

With iOS 11, Apple decided to focus heavily on the end user’s security and privacy by releasing incremental updates that added several additional features. The initial release of iOS included:

• New security features, such as requiring the passcode to create a trust-pair relationship (changes from just having the device unlocked).
• Moving two-factor authentication PIN codes behind the lock screen.
• The same backup encryption strategy of iOS 10.2.

Because of these security enhancements, it has become imperative that the examiner obtain the user’s handset lock code. Individuals may not always be receptive to this or the user may not be able to give this information.

A Primer: USB Restricted Mode

Another incremental change which the forensic community has been tracking for some time is the release of “USB Restricted Mode.” This mode, when enabled, will cause the lightning port on the iOS device to disable after a period of time, allowing only power to pass through the port. More specifically, the pins on the port responsible for passing data are disabled and won’t allow any USB device or computer to connect to the iOS device.

With the release of iOS 11.4.1, Apple finally made USB Restricted Mode—previously available only in beta versions—publicly available. The timing window was set for one hour, meaning that after 60 minutes of being locked, the device cannot be connected to a forensic computer. This addition now drastically changes the way we as examiners must deal with iOS devices in the field during seizure and acquisition.

The actual setting which controls USB Restricted Mode can be found under the Settings à Touch ID & Passcode / Face ID & Passcode menu. Regardless of what biometric unlock your iOS device is using, to see these settings, the actual passcode must still be entered here. That way, examiners can disable the mode if they happen to catch an unlocked device in the wild. The toggle switch which controls this mode is called “USB Accessories” and can be confusing for those that are seeing it for the first time.

When USB Restricted Mode is enabled, any USB accessory or forensic computer that is attached to the device will generate a notification on the device saying “Unlock iPhone/iPad to use accessories.” This is accompanied by three long vibrations.When the toggle is ON, USB Restricted Mode is actually disabled. When the toggle is set OFF, USB Restricted Mode is enabled and the one-hour window is in effect. This is the default setting.

It is also possible to manually trigger this mode by sending the device to SOS or emergency mode. This feature, added in iOS 11, can be activated normally using SOS mode by holding the volume and power buttons together or rapidly pressing the power/side button 5 times.

The one-hour time limit drastically changes the way first responders handle iOS devices. Because this will most likely be the setting going forward, and it’s hard to figure out what version the device is running just from looking at it quickly, examiners and first responders need to treat every iOS device going forward as if we only have a one-hour limit to connect it.

If the examiner has the handset lock code, the one-hour limit is less of a factor because the mode is reset as soon as the device is unlocked. However, if the handset lock code is not known or available, this is where we must act quickly.

A tool such as Grayshift’s GrayKey has been known to allow us to attempt a brute-force of the handset lock code of modern iOS devices. However, we must be able to connect the device to the unit while it is not in USB Restricted Mode. This gives us only a finite window in which to achieve this connection for extraction.

Delaying the Timer

The 1-hour timer seems to start from the moment the device is locked. As soon as the device is unlocked, either with the handset lock code or the biometrics for that device, the timer is reset until the device is locked again, and then the process repeats.

A small loophole allows users to delay this timer from enabling. Connecting a USB accessory device such as the “Apple Lightning to USB 3 Camera Adapter” within the 1-hour limit delays that timer for 7 days. If the adapter is removed and reconnected, the iOS device will then restart the 7-day timer. This process is repeatable.

Not all adapters are made equal. Some adapters that we have tested worked great, while others gave us false hope. It seems that devices that can maintain a USB connection, such as OTG devices or display adapters, have a higher chance of working. Even still, no adapters have been able to disable USB Restricted Mode completely once it’s been activated.

Some of the devices that worked:

• Apple Lightning to USB 3 Camera Adapters
• PhotoFast 32GB OTG USB Lightning Drive
• An untrusted computer (does not matter if iTunes is installed)

Some of the ones that did NOT work:

• Apple Lightning to AUX (3.5mm) Adapter
• Apple Lightning to MicroUSB Adapter

It’s important to test any device before going into the field with it. We recommend that you lock the device, plug in the desired accessory, then wait approximately 65+ minutes. Remove the adapter, then try to connect to a forensic computer.

If the PC recognizes the iOS device and allows you to check for the UDID, it worked! The timer was delayed, and you were able to gain connection to the device. If the device vibrates 3 times and displays the previously mentioned notification, unfortunately that device did not delay the timer.

It’s important to note that power may also need to be applied while the adapter is delaying the timer. Adapters that feature a lightning port can provide power to the device by also connecting to a portable battery pack. OTG Lightning/USB Drives and the Camera/Display adapters take top marks for this because of their dual purpose.

In-Field Best Practices WorkflowRecent testing has also shown that even an untrusted computer can act as a delay device. Plugging the target’s device into a PC could delay the timer from enabling and provide charge to the device. Because it would be difficult to isolate the device like this, however, it is important to use proper Faraday bags with shielded cabling, or ensure the device is in Airplane Mode.

For any examiner or first responder in the field, a new set of protocols must be developed around dealing with iOS devices. Once an iOS device has been identified as being of interest, it must immediately be connected to a source to delay the USB Restricted mode timer and acquired as soon as possible. Even if the data is not going to be analyzed for months, acquiring it immediately ensures that the examiner will at least be able to collect the information.

To that end, we recommend the following best practices workflow for iOS devices:

1. Identify that the iOS device is needed for evidence.
2. Immediately plug in an adapter to delay USB Restricted Mode.
3. Attempt to access the iOS device’s Control Center and enable Airplane Mode.
4. Connect the device to power/charge for transportation.
5. Place the device and charger battery into a Faraday bag.
6. Immediately image the device using a forensic tool such as Magnet AXIOM or ACQUIRE.
   1. If the device handset is locked, keep the device powered and isolated.
   2. Continue to leave the adapter inserted, unplugging and re-plugging every 7 days until passcode can be obtained.

Even if the first responder connects the device and sees the “Unlock iPhone to use accessories” prompt, it’s important to educate them to make sure they still transport the device to a forensic laboratory for imaging immediately. The biometric unlocks may still be available if all three of the following conditions are met:

• The device has been unlocked in the last 48 hours.
• The SIM card slot hasn’t been removed.
• The device hasn’t been rebooted.

Under these conditions, law enforcement may be able to compel the user to give their fingerprint or facial unlock to re-enable the USB port.

If the device is now unavailable for imaging, thanks to USB Restricted Mode or handset lock codes, the examiner will have to turn to iCloud backups or locally stored iTunes backups. With information that can be gathered by looking at the device, it may be possible to send a search warrant to Apple to obtain the backups from iCloud and other data such as iCloud iMessages and Photos.

If the iCloud passcode can be obtained, with proper authority, the examiner can also use AXIOM Cloud collection features to pull this information into AXIOM alongside other relevant information.

In conclusion, it is important for every agency to invest in some adapters that can help delay this timer and educate first responders and analysts alike. Resources like the Magnet Forensics iOS 11 white paper can be distributed for information and is available for free on the Magnet Forensics website.

We as a community must change the way we handle and look at iOS devices, acting immediately to ensure we can collect information from them as this feature becomes more widely spread.

The post Working with iOS Devices Post-11.4.1 appeared first on Magnet Forensics.