By Jessica Hyde, Director, Forensics

I recently delivered a webinar, “Apple’s Tween Years: iOS’ Maturation from 10 through 11 and into 12,” followed by an iOS and cloud forensics focused trip in New Zealand, Australia, and Singapore. From talking with examiners at these events, I realized that the lecture content contained three “surprises” that could affect forensic investigations.  I wanted to take a moment to share those items that may be important for you to know.

1. Don’t Remove the SIM Card if You Want to Use Biometric Unlocking

SIM card removal from a locked iOS 12 device disables Touch ID and Face ID. It is important to note that if the SIM card is removed with the device in an unlocked state, Touch ID and Face ID are still available. Interestingly, SIM card removal is not listed as a situation that requires a passcode in Apple’s iOS Security Guide.

This can be an issue when an organization’s Standard Operating Procedures (SOPs) involve removing the SIM card for network isolation.  Often SIM card removal is used when first responders lack access to other methods of network isolation, such as a Faraday enclosure.

Where this becomes problematic is when the owner of a locked iOS 12 device is deceased, and the first responder is attempting network isolation prior to unlocking via Touch ID or Face ID.  In this instance, SIM card removal is often used because Faraday enclosures make it difficult to perform biometric unlocking.

As a result, your organization may want to adapt its SOP to encourage finding alternative methods of network isolation, if available, when encountering locked iOS 12 devices. An alternative method should prevent biometric unlocking from being disabled.

2. Backups Get Harder to Find as a Result of a New UDID Format

An iOS device’s UDID is important because it is also the name of that device’s backup file. This allows you to document that this backup is of this device. The UDID is unique per device and can be found by connecting the phone and looking in iTunes, Xcode (Mac), or the Registry (Windows).

A hardware-based change to the UDID format affects newer devices with the A12 chip, including the iPhone XS, XS Max, and XR, as well as (reportedly) the Apple Watch 4 with the S4 chip.

In the screen capture below, you can see backups of an iPad Mini4 with the traditional format UDID on top and an iPhone XR backup with the UDID in the new format. When looking for backups, if you see this new format, rest assured it is an iOS backup of newer hardware.

3. Wait – Where’s my Backup?

You may have noticed something in the screenshot above. That path is different than where you may have seen backups on a Windows device before.  And those backups were created with iTunes to the default locations.

Examiners sometimes recover iOS backups from computers as a source of evidence. If you are only looking in the traditional places, you may be missing iOS backups.

This new location for backups occurs on Windows PCs where the installed version of iTunes was downloaded from the Microsoft Store. Currently when PC users go to the iTunes page to download iTunes, the page prompts you to download from the Microsoft Store, so this is likely to be the default location on computers that have only recently installed iTunes for the first time.

Download Locations:

• Mac ~/Library/Application Support/MobileSync/Backup/
• Windows C:Users<username>AppDataRoamingApple ComputerMobileSyncBackup
• Windows if iTunes was downloaded from the Microsoft Store: C:Users<username>AppleMobileSyncBackup

The three changes described in this blog post show that changes — both big and small — can affect forensic examinations. Further, Apple doesn’t limit changes to iOS.  Some changes may be hardware dependent; others are grounded in how a user downloaded iTunes.

Ultimately, these changes serve as a reminder that even small changes can have major consequences on our ability to acquire data from devices or even find backup sources.  As with everything described in our blog, be sure to validate on your own tools and test devices.

Questions or comments? Reach out to: Jessica.Hyde@magnetforensics.com

The post Three Newer Things that May Surprise You about iOS Forensics appeared first on Magnet Forensics.

Magnet AXIOM 2.9 is now available for download! Read more about what’s included in the latest release of AXIOM, including enhanced custom artifact support, new logical acquisition options for Android, and updates to G Suite support.

Try it for yourself now! If you’re a customer, download AXIOM 2.9 right now either in-app or in the Customer Portal. If you want to try AXIOM 2.9 for yourself, request a trial today.

Enhanced Custom Artifact Support

In addition to the support we’re constantly providing for new artifacts with every release, AXIOM 2.9 will provide you with a big expansion on its custom artifact capabilities. Because of the sheer number of possible artifacts you may run into, there will be times where full native support is not yet available.

These new capabilities will put more control in your hands as you can specify file extensions or file signatures (for example CAD drawings or Photoshop drawings) for artifacts without native support.

An Excel file with custom specifications can be launched for editing within AXIOM and those specifications will be available for every case file. Hashes of the data recovered will be provided along with some basic de-duplication as well as timestamp and location information for where these were found.

More Logical Acquisition Methods for Android

Get more information and artifacts from more Android devices with two new logical acquisition methods that have been added to AXIOM 2.9.

The new methods are available through the ADB (unlocked) device workflow and will enable a logical extraction from Android devices where possible.  This includes rooted devices, or Android 5, 6, and 7 devices without the December 2016 security patch.

Recover G Suite Calendar Events

Adding onto our previously released support for G Suite, AXIOM Cloud users can now also recover calendar events stored in G Suite — helping you collect and process a full set of user data from a G Suite account during corporate investigations.

New and Updated Artifacts

We’re always bringing new and updated artifacts to each release of AXIOM. Here’s what’s included in AXIOM 2.9:

New in Android

• Samsung Browser
  • Recover information from the Samsung Browser on Samsung Android mobile phones, including web history and visits, media history, downloads, cache information, cookies and auto-fill information, etc.
• Reddit
  • Get recently viewed sub-reddits and account information.

New in iOS

• KnowledgeC (App Intents + Media History)
  • Obtained through a GrayKey image, recover information about the type of intent taken, along with the action and any metadata and associated information as well. Also, recover information about media (video and audio) that has been played on the device.

New in All Platforms

• Encrypted files
  • An entirely new implementation leveraging Passware‘s technology to find common encrypted file types. This artifact vastly improves the performance from the previous implementation, while also reducing false positive results.

New in Windows

• Edge, Chrome and Firefox
  • Recover information about add-ons and extensions that were installed for the Microsoft Edge, Chrome, and Firefox browsers. With the Edge browser, we have enhanced support for recovering and attributing browsing history, as well as adding support to recover top sites, typed URLs, favorites and reading list information.
• Your Phone
  • Allows for attribution of pictures found on a computer which were received via the Your Phone sync application, as well as device sync settings and information.

Updates

• Chrome (Android)
• SMS/MMS (Android)
• User Info (Android)
• Android Email (Android)
• Events (Android)
• Snapchat (iOS)
• Kik (iOS)
• Locations (iOS)
• Call logs (iOS)
• Instagram (iOS)
• iMessage (iOS)
• User Accounts (Windows)
• Skype (Windows)
• Windows Timeline (Windows)
• Chrome (Windows)

If you’re already using AXIOM, download AXIOM 2.9 over at the Customer Portal. If you want to see how AXIOM 2.9 can give you a better investigative starting point, request a free 30-day trial today!

The post Magnet AXIOM 2.9 Includes Enhanced Custom Artifact Support and New Android Acquisition Methods appeared first on Magnet Forensics.

We’re proud to announce the first recipient of the Magnet Forensics Scholarship Program: Eric Dalla Mura, Detective Corporal at the Burlington Police Department in Burlington, VT.

Eric worked with his Lieutenant to apply for the scholarship and subsequently devote time throughout the year for the free training and travel opportunities provided and we’re excited to see how he takes to the program. We caught up with Eric to get his thoughts on the program and what he hopes to accomplish with it — read the Q&A below.

And we’ve opened up the Scholarship program for 2019, so if you’re an officer who is looking to get a head start in digital investigations, apply today! This year, we’re also offering a scholarship opportunity for experienced digital forensics experts who have no experience with Magnet AXIOM. If you’re toolkit has other solutions and you’ve been wanting to learn how to use AXIOM and incorporate it into your workflow, apply today.

Magnet Forensics: What is your current role/department?

Eric Dalla Mura: I am a Detective Corporal at the Burlington Police Department in Burlington, VT.  I am currently assigned to the General Investigations unit.

MF: What has been your policing experience up until now?

EDM: I have been an Officer with Burlington for ten years but began my career as an Officer in Mesa, Arizona. Almost all of that has been as Patrol Officer with additional assignments as a Field Training Officer and various instructor roles over the years. I am also a member of the Vermont Internet Crimes Against Children Task Force. 

MF: How would you describe your knowledge of digital forensics up until now?

EDM: My knowledge of digital forensics comes from on-the-job training and experience, as well as an undergraduate certificate in Computer Investigations and Digital Forensics from Champlain College. I have a working knowledge in the field but my role does not let me focus on digital forensics all of the time. I know enough to be aware that I still have a lot to learn. 

MF: What made you want to get into the field?

EDM: A combination of things, but mainly a desire to specialize and challenge myself. After spending so much time as a Patrol Officer I wanted something new; I wanted to investigate bigger and more complicated crimes. I initially took advantage of my department’s tuition reimbursement program and found that I enjoyed learning the material and I was eager to apply it. 

MF: How did your application come about for the Magnet Forensics Scholarship Program?

EDM: I knew of Magnet Forensics as a well-recognized company but had never used their tools, so I went online to see what training they had to offer. I found the scholarship, and was able to convince my administration that an opportunity for free training and a temporary software license would be worth any time I would be out of the office.

MF: What are you hoping to achieve after completing the Scholarship Program?

EDM: I know I will come out of it with greater knowledge and experience. We are seizing an increasing number of devices that we incorporate into our investigations. I hope I can show through actual application that investing resources into our department’s capabilities is critical to the future of policing. 

MF: What are you looking forward to learning in the program?

EDM: There are things I know can be done but I don’t have the skill or knowledge to do yet. Most of my computer investigations are focused on the subpoena and warrant side of things. I want to get more out of devices when I have them, and I want to be able to explain it better in court when I do. 

MF: How has the support been from your leadership?

EDM: They have been completely on board with this scholarship program. Instituting a digital forensics or computer-related crime program in general has been more of a challenge. Funding, staffing and other issues are and always will be obstacles to overcome. At the same time, the leadership here is interested in doing what it takes to solve cases. Showing what we can do when we have resources in place is an important part of proving how important digital evidence is. I appreciate the department allowing me the time to take advantage of Magnet’s training.

MF: Any other thoughts you would like to share?

EDM: On behalf of BPD and myself personally, I will just say thank you again. It’s a great opportunity and I am genuinely excited to start training.

Learn More About the Magnet Forensics Scholarship Program

We want to give promising new officers an opportunity to get a head start in digital investigations. If you are currently performing a non-technical role and would like to explore future career opportunities in digital forensics, or you’re currently inexperienced with Magnet AXIOM, then this scholarship program is for you. Visit our Scholarship Program page and send in your application today!

The post Announcing the First Winner of the Magnet Forensics Scholarship Program appeared first on Magnet Forensics.

If you haven’t heard the news yet, Grayshift and Magnet Forensics have entered into an exclusive global technology and distribution partnership! That means it’s easier than ever to use GrayKey and Magnet AXIOM for all of your iOS investigations so you can obtain the best results.

Who Can Buy GrayKey?

GrayKey is available for purchase by local, state, and federal law enforcement, public safety, and defense agencies worldwide. GrayKey is not available to the private sector.

How Can Someone in Law Enforcement Purchase GrayKey?

GrayKey is available in select countries around the world. Simply fill out the form on this page to connect with a Magnet Forensics sales rep to learn more.

Can I Purchase Magnet AXIOM at the Same Time?

Yes! By getting AXIOM and GrayKey together, you’ll have the best solution on the market for investigating iOS devices. Learn all about how they work together here. 

Where Can I Go to Learn More about How GrayKey and AXIOM Work Together?

We have many resources available to show you how AXIOM helps you get the most out of your GrayKey images:

• Maximizing the Partnership Between GrayKey and Magnet AXIOM
• Loading GrayKey Images into Magnet AXIOM
• Analysis of GrayKey Images with AXIOM: New KnowledgeC Database Artifact Additions
• Analyzing GrayKey Images with AXIOM: New Artifact Parsing Capabilities
• Getting Evidence from iOS Screen Time Artifacts

How Do I Start?

To get started, fill out this form. A Magnet Forensics rep will follow up with more information and to qualify your request. For any other questions, please email sales@magnetforensics.com for more information.

The post How to Get GrayKey from Magnet Forensics appeared first on Magnet Forensics.

Magnet Forensics and Grayshift have partnered to provide law enforcement the tools they need to acquire and process the most data from iOS devices. This partnership is a result of our joint mission to help our law enforcement customers seek justice and protect the innocent. 

For many years law enforcement agencies have struggled to acquire important information from these devices. While GrayKey has allowed us to potentially brute-force the passcodes, it also enables Examiners to acquire more data than any other solution on the market and then review in a tool such as Magnet AXIOM.

There are several different types of images that can be generated by GrayKey, including BFU or Before First Unlock, AFU or After First Unlock, or Full Filesystem images. Regardless of which type of image an examiner can acquire, each type can be ingested into Magnet AXIOM and processed for information.

In order to load the images into Magnet AXIOM, users only need to select “Mobile -> iOS -> Load Evidence -> Images” from the Evidence Sources area of AXIOM Process.

Once the evidence selection screen loads, users can select any of the image format types generated by the GrayKey for processing. These images are stored by the format “<udid>_files_<image type>.zip” which will tie back to the Unique Device Identifier of the iOS device in question. The type of image will reflect if this image is a BFU, AFU, or File System image acquired from the GrayKey device.

Once a File System image has been selected and loaded, users will be able to selectively pick any or all areas of the file system they want AXIOM to be able to scan for information. This helps users who are low on time or simply looking for very specific artifacts in the file system.

The only difference in loading GrayKey data is around loading the keychain data which will include exportable and non-exportable values for review. In order to load the keychain, users need to follow a similar procedure as the images, but instead of selecting “Images” they will select “Files/Folders” and direct AXIOM to the “udid_keychain.plist”

Once all of your selected GrayKey data is ingested into AXIOM, examiners can then decide which artifacts they wish to scan and even use advanced features such as AXIOM’s Dynamic App Finder or Custom Search by File Type in order to locate additional data with the images to find relevant evidence in.

Once the information has been loaded into Magnet Examine, there is a wealth of artifacts that Magnet has recently added to the product to maximize the information available to users. In this blog, we will detail several important artifact pieces you can expect to find in these images.

Write Ahead Logs

GrayKey can obtain a full-file system image of the device which means that temporary or support files that exist with our standard artifacts are now available for review. A prime example of this is the sms.db-wal file that lives in the same directory as the sms.db. The sms.db allows examiners to recover and parse iMessages, SMS messages, and MMS messages. However, because this database utilizes the “write ahead log” functionality of SQLite, messages are in fact written to the sms.db-wal file before being committed into the main sms.db. This can cause issues in recovering potentially deleted messages depending upon how long the messages were on the device before being deleted. If messages are deleted as soon as they are sent/received it’s much less likely to be able to recover these messages from a standard iTunes style extraction. However, since GrayKey allows us to extract the full file system, we now have access to this file and AXIOM will attempt to carve for any traces of messages left behind in the write ahead log including potentially deleted messages.

In the above examples, you can see some examples of a message that have been recovered from the write ahead log of a sms.db and how AXIOM can still link much of the information back together including timestamps, directionality, and use Connections to map communications between users. The write ahead log recovered messages are also still part of the chat threading options in AXIOM so users can see these data points threaded out in a chronological view for reviewing.

Third-Party Application Data

In standard iTunes-style backup images developers can be very selective about what from their applications they want to include. Prime examples of this include Facebook, Instagram, and Twitter who don’t include key files into these backups. Since AXIOM gets access to the full file system from GrayKey images, this third-party application data is available to us again. Some brief examples in AXIOM are Facebook Messenger messages, Instagram Direct Messages, and Twitter Tweets.

This also gives the examiner a chance to dig deeper into applications that aren’t normally processed by artifacts such as this example showing the recovery of data for the DJI Go application.

Apple Mail

The Apple Mail application (Mail.app) has been frustrating many forensic examiners since the days of the iPhone 4 as it’s information has not been available since then.  Apple protects the Mail.app data at some of the highest levels of the file system, therefore this information will only be available in a Full File System image once the passcode has been determined.

Once found, AXIOM Examine will display the saved to/from, subject, date sent, date received, summary, and read status of emails that are recovered from this application. These mails can provide valuable communication points but can also inform an examiner about other services that they may need to look for.

In addition to the data found within the Mail application, AXIOM Examine may also recover artifacts known as Apple Mail Fragments from different sources even if a full filesystem isn’t available. These fragments can help examiners key in on email addresses being used on a device in order to launch investigations from the service provider’s end while waiting for the device password to be recovered in order to obtain all of the data from the device. For example, these email fragments may be recoverable from a process memory image generated by GrayKey from a device in the After First Unlock (AFU) state.

Web Cache and App Cache

In addition to recovering standard Safari data, these file system images allow us to recover additional web data such as Safari App Cache information. Since the web cache can give us some context as to what users are viewing on URLs, this information can become very valuable in certain case types where users are viewing illicit material online.

The App Cache artifact can allow examiners to see what is being stored within the cache for specific artifacts. Since applications typically have built-in browsers but don’t store many logs of web history for those browsers, this may give an examiner a chance to recover information that was found when clicking on a link inside a third-party application.

Operating System Data – KnowledgeC

The Operating System category within AXIOM Examine has many artifacts available exclusively to these file system images. One such great example is the KnowledgeC artifact set. These artifacts can help to determine a pattern of usage of an application or a user in general by looking at multiple artifacts to map out such activity.

Operating System Data – Network Usage

The Network Usage artifacts under the Operating System category allows examiners to see Wireless access points the users have communicated on as well as cellular towers users have sent data to. The Network usage – Connections artifact will display the Cell ID or MAC Address depending on the type.

The Network Usage – Application Data artifact works a lot like Windows SRUM. This artifact allows examiners to see which processes have used data, how much data, and over what connection types including WiFi, Cellular, and Wired. If a user claims they have never used an application, searching for the application ID can help to prove or disprove this and show exactly how much data has been sent across the networks. Note: this information can be reset by a user clearing their Usage statistics on their settings so it’s not a complete history since the device was first powered on.

Operating System Data – Screen Time

New to iOS 12, the Screen Time data that is generated by iOS allows examiners to track within 1-hour intervals how much an application was used, how many notifications it generated, and how many times the device was picked up due to this application. This information can be incredibly valuable but is a key reason why devices must be acquired immediately upon seizure.

Location Data

There are multiple points of location data storage within modern iOS devices. Cached locations and Frequent Locations can be incredibly relevant in helping to determine a location or region that a user has visited. Other information such as Apple Pay transaction data can also be viewed within AXIOM Examine’s World Map View in order to map out these location points to make sense of a user’s activities.

Keychain Data

The data stored within the keychain files generated by the GrayKey will store both exportable and non-exportable values. This means that there will be data within the GrayKey generated keychains that will not be available from keychain entries from encrypted iOS backups. These can include Wireless Access Points stored as “AirPort” entries with their SSIDs and passcodes, Backup passwords for encrypted backups, and tokens for multiple services the user has interacted with on this device. The Internet Passwords artifact will store information passed into the Keychain from using the Safari browser and can even pass information from one iOS device to another or to a MacOS device. This can allow users to recover usernames and passwords for cloud-based sources and with proper legal authority acquire them using a service such as AXIOM Cloud.

Process Memory Image Analysis

By processing the images of Process Memory generated by GrayKey, AXIOM will be able to carve information stored within the process memory of AFU (after first unlock) devices. This can include information that may have been deleted from the file system. These images are acquired from the GrayKey device and will be named “<udid>_mem.zip” and can be loaded into AXIOM Process the same way as any other image. Once loaded, AXIOM will automatically attempt to carve for records including web related, chat, email, media, and more. The below example shows some of the information that was carved from a process memory image including iMessage/SMS messages, mail fragments, call logs, and refined results such as Google Searches that were performed.

Wrap-Up

The team at Magnet Forensics has spent a lot of time recently diving deep into the images provided by the team at Grayshift. We have taken this research very seriously and have been working hard in order to provide new and exciting artifacts to the forensic community to make parsing through the massive amounts of data available easier. With this new partnership, Magnet Forensics and Grayshift are dedicated to helping our customers have the easiest and most powerful tools at their disposal when dealing with iOS devices.

Stay tuned for some additional exciting artifacts coming your way very soon!

The post Maximizing the Partnership Between GrayKey and Magnet AXIOM appeared first on Magnet Forensics.

We at Magnet Forensics are pleased to announce our partnership with Grayshift. At the core of this partnership is a shared commitment to helping law enforcement agencies seek justice and protect the innocent.

Citizens may not realize, but the technologies that allow us to socially connect and conduct commerce with the touch of a smartphone have also created complexities for law enforcement agencies as they investigate crimes such as human trafficking, child sexual exploitation, homicide and virtually every type of crime today where a smartphone can be involved. In some instances, the very fact that critical evidence resides on a smartphone has led investigations to a dead end. This is the unfortunate reality, even when police agencies have a court-order to review such evidence. 

To date, there have been limited options for law enforcement to address this challenge. 

We hear regularly from digital forensic investigators and police leaders that the existing mobile forensics solutions have created challenges for law enforcement agencies in terms of containing their cost, getting to critical digital evidence in a timely fashion, and preserving chain of custody. Some have expressed deep concern with the idea of having to pick and choose which cases get to have digital forensic examinations due to the cost of a mobile forensics examination. In other instances, we have heard questions arise about the chain of custody in cases where smartphones have to be shipped, sometimes abroad, to be unlocked for examination.

Addressing these challenges are central to the technology partnership of Magnet AXIOM and GrayKey.

A Commitment to Law Enforcement and Helping Uphold the Rule of Law

Magnet Forensics has always made it our mission to help law enforcement agencies use every lawful tool at their disposal to find the evidence that can save lives and convict or exonerate suspects. Ultimately, finding the truth is core to our purpose and technology.

The partnership between Magnet AXIOM and GrayKey will give digital investigators the ability to acquire, analyze and report on lawfully acquired digital evidence from iOS devices. We are allowing agencies to utilize these tools in their labs, saving them time and preserving chain of custody. We believe that all cases with critical digital evidence should have access to the digital forensics lab when the agency has the proper authority to review such evidence.

The partnership between Magnet Forensics and Grayshift goes beyond an obvious technological fit and need for mobile forensics options that address current gaps. As we have gotten to know the team at GrayKey, we have learned that at our cores, we share a commitment to law enforcement agencies in their pursuit of justice and upholding the rule of law.

Read more about the partnership between Magnet Forensics and Grayshift here. 

The post Magnet Forensics and Grayshift, Partnering to Preserve Justice appeared first on Magnet Forensics.

We’re bringing Magnet User Summit 2019 to The Hague on May 15 and registration is now open!

Magnet User Summit 2019 is a chance for customers and partners to come together and learn about the latest in digital forensics and digital evidence management.

Taking place in The Hague, Netherlands at the Hague Marriott Hotel, the Magnet User Summit is a one-day conference that provides an opportunity to hear about the latest trends in digital forensics and to take part in hands-on labs that will give you a unique opportunity to go in-depth with Magnet Forensics products. We’ll also offer the chance to relax and enjoy some refreshments at our networking event.

And fresh off our recent partnership announcement, Grayshift, the makers of GrayKey, will be joining us to talk about being the leader in iOS acquisitions and how, when paired with the analysis capabilities of Magnet AXIOM, it makes an unbeatable combination for law enforcement.

Find More Information and Register 

Visit www.magnetforensics.com/mus2019thehague/ to save your spot for the event and to get all the details you need — including the full event schedule.

We hope to see you there!

The Magnet Forensics Team

The post Magnet User Summit 2019 is Coming to The Hague! appeared first on Magnet Forensics.

The latest version of Magnet AXIOM is now available for customers to download! Either upgrade in-app, or head over to the Customer Portal to download AXIOM 2.10.

The latest version of Magnet AXIOM is now available for customers to download! Either upgrade in-app, or head over to the Customer Portal to download AXIOM 2.10.

In this release, we’ve focused on artifacts. We’ve introduced Slack for iOS and Android as well as the Microsoft Outlook app, also for iOS and Android. Learn more about these new artifacts below and see what else we’ve updated in AXIOM 2.10.

If you’re not already using AXIOM and want try AXIOM 2.10 for yourself, request a trial today.

New Artifacts

• Slack​ (Android and iOS)
  • With over 10 million installs on Android devices alone, Slack has become a very popular communication tool within the business community. The new Slack artifacts will recover channels, channel messages, direct messages, files, users, and workspaces.​
• Microsoft Outlook​ (Android and iOS​)
  • Microsoft Outlook has become a popular replacement for native mail applications on mobile devices, supporting both Microsoft Mail services as well as other personal email accounts.  New artifacts are available that capture Outlook email, calendar events, and contacts from Android and iOS.
• Installed Applications (iOS — GrayKey)​
  • Previously only available when using an iTunes backup, this artifact will also provide a list of Installed Applications when processing a GrayKey image.​
• Samsung Browser Bookmarks​ (Android​)

Updated Artifacts

Windows:

• Viber
  • Viber Chat Messages for version 9.2+

Android:

• Skype Lite​
• SMS / MMS Messages​
  • Attempts to map a name from the device contacts to the number used in the message, helping you better read and interpret message threads

iOS:

• Private Notes
  • Recover and decrypt password-protect notes on Apple devices
• iOS Device Information​
  • Enhanced to provide additional details from the iOS devices ingested using a quick acquisition

All Platforms:

• Webkit Refactor​
  • AXIOM will now provide a clearer picture of which application generated a link to a website by organizing results into more specific browser-based artifacts wherever possible
• Password Recovery​ (Google Cloud​)
  • Passwords can be once again recovered from Google using AXIOM Cloud after a temporary break due to a change made to the Google website
• Image Attachments in Chat Threads​ (Android/iOS​)
  • Fixed an issue where images were no longer appearing in chat bubbles. This has been resolved and images will now appear in chat bubbles, as well as reports generated from conversation views
• GZIP Archive Format
  • GZIP files, a commonly encountered archive format, are now supported in AXIOM

If you’re already using AXIOM, download AXIOM 2.10 over at the Customer Portal. If you want to see how AXIOM 2.10 can give you a better investigative starting point, request a free 30-day trial today!

In this release, we’ve focused on artifacts. We’ve introduced Slack for iOS and Android as well as the Microsoft Outlook app, also for iOS and Android. Learn more about these new artifacts below and see what else we’ve updated in AXIOM 2.10.

If you’re not already using AXIOM and want try AXIOM 2.10 for yourself, request a trial today.

New Artifacts

• Slack​ (Android and iOS)
  • With over 10 million installs on Android devices alone, Slack has become a very popular communication tool within the business community. The new Slack artifacts will recover channels, channel messages, direct messages, files, users, and workspaces.​
• Microsoft Outlook​ (Android and iOS​)
  • Microsoft Outlook has become a popular replacement for native mail applications on mobile devices, supporting both Microsoft Mail services as well as other personal email accounts.  New artifacts are available that capture Outlook email, calendar events, and contacts from Android and iOS.
• Installed Applications (iOS — GrayKey)​
  • Previously only available when using an iTunes backup, this artifact will also provide a list of Installed Applications when processing a GrayKey image.​
• Samsung Browser Bookmarks​ (Android​)

Updated Artifacts

Windows:

• Viber
  • Viber Chat Messages for version 9.2+

Android:

• Skype Lite​
• SMS / MMS Messages​
  • Attempts to map a name from the device contacts to the number used in the message, helping you better read and interpret message threads

iOS:

• Private Notes
  • Recover and decrypt password-protect notes on Apple devices
• iOS Device Information​
  • Enhanced to provide additional details from the iOS devices ingested using a quick acquisition

All Platforms:

• Webkit Refactor​

AXIOM will now provide a clearer picture of which application generated a link to a website by organizing results into more specific browser-based artifacts wherever possible

• Password Recovery​ (Google Cloud​)

Passwords can be once again recovered from Google using AXIOM Cloud after a temporary break due to a change made to the Google website

• Image Attachments in Chat Threads​ (Android/iOS​)

Fixed an issue where images were no longer appearing in chat bubbles. This has been resolved and images will now appear in chat bubbles, as well as reports generated from conversation views

• GZIP Archive Format

GZIP files, a commonly encountered archive format, are now supported in AXIOM

If you’re already using AXIOM, download AXIOM 2.10 over at the Customer Portal. If you want to see how AXIOM 2.10 can give you a better investigative starting point, request a free 30-day trial today!

The post Slack and Microsoft Outlook Among the New and Updated Artifacts in Magnet AXIOM 2.10 appeared first on Magnet Forensics.

We’re proud to announce the first recipient of the Magnet Forensics Scholarship Program: Eric Dalla Mura, Detective Corporal at the Burlington Police Department in Burlington, VT.

Eric worked with his Lieutenant to apply for the scholarship and subsequently devote time throughout the year for the free training and travel opportunities provided and we’re excited to see how he takes to the program. We caught up with Eric to get his thoughts on the program and what he hopes to accomplish with it — read the Q&A below.

And we’ve opened up the Scholarship program for 2019, so if you’re an officer who is looking to get a head start in digital investigations, apply today! This year, we’re also offering a scholarship opportunity for experienced digital forensics experts who have no experience with Magnet AXIOM. If you’re toolkit has other solutions and you’ve been wanting to learn how to use AXIOM and incorporate it into your workflow, apply today.

Magnet Forensics: What is your current role/department?

Eric Dalla Mura: I am a Detective Corporal at the Burlington Police Department in Burlington, VT.  I am currently assigned to the General Investigations unit.

MF: What has been your policing experience up until now?

EDM: I have been an Officer with Burlington for ten years but began my career as an Officer in Mesa, Arizona. Almost all of that has been as Patrol Officer with additional assignments as a Field Training Officer and various instructor roles over the years. I am also a member of the Vermont Internet Crimes Against Children Task Force. 

MF: How would you describe your knowledge of digital forensics up until now?

EDM: My knowledge of digital forensics comes from on-the-job training and experience, as well as an undergraduate certificate in Computer Investigations and Digital Forensics from Champlain College. I have a working knowledge in the field but my role does not let me focus on digital forensics all of the time. I know enough to be aware that I still have a lot to learn. 

MF: What made you want to get into the field?

EDM: A combination of things, but mainly a desire to specialize and challenge myself. After spending so much time as a Patrol Officer I wanted something new; I wanted to investigate bigger and more complicated crimes. I initially took advantage of my department’s tuition reimbursement program and found that I enjoyed learning the material and I was eager to apply it. 

MF: How did your application come about for the Magnet Forensics Scholarship Program?

EDM: I knew of Magnet Forensics as a well-recognized company but had never used their tools, so I went online to see what training they had to offer. I found the scholarship, and was able to convince my administration that an opportunity for free training and a temporary software license would be worth any time I would be out of the office.

MF: What are you hoping to achieve after completing the Scholarship Program?

EDM: I know I will come out of it with greater knowledge and experience. We are seizing an increasing number of devices that we incorporate into our investigations. I hope I can show through actual application that investing resources into our department’s capabilities is critical to the future of policing. 

MF: What are you looking forward to learning in the program?

EDM: There are things I know can be done but I don’t have the skill or knowledge to do yet. Most of my computer investigations are focused on the subpoena and warrant side of things. I want to get more out of devices when I have them, and I want to be able to explain it better in court when I do. 

MF: How has the support been from your leadership?

EDM: They have been completely on board with this scholarship program. Instituting a digital forensics or computer-related crime program in general has been more of a challenge. Funding, staffing and other issues are and always will be obstacles to overcome. At the same time, the leadership here is interested in doing what it takes to solve cases. Showing what we can do when we have resources in place is an important part of proving how important digital evidence is. I appreciate the department allowing me the time to take advantage of Magnet’s training.

MF: Any other thoughts you would like to share?

EDM: On behalf of BPD and myself personally, I will just say thank you again. It’s a great opportunity and I am genuinely excited to start training.

Learn More About the Magnet Forensics Scholarship Program

We want to give promising new officers an opportunity to get a head start in digital investigations. If you are currently performing a non-technical role and would like to explore future career opportunities in digital forensics, or you’re currently inexperienced with Magnet AXIOM, then this scholarship program is for you. Visit our Scholarship Program page and send in your application today!

The post Announcing the First Winner of the Magnet Forensics Scholarship Program appeared first on Magnet Forensics.

If you haven’t heard the news yet, Grayshift and Magnet Forensics have entered into an exclusive global technology and distribution partnership! That means it’s easier than ever to use GrayKey and Magnet AXIOM for all of your iOS investigations so you can obtain the best results.

Who Can Buy GrayKey?

GrayKey is available for purchase by local, state, and federal law enforcement, public safety, and defense agencies worldwide. GrayKey is not available to the private sector.

How Can Someone in Law Enforcement Purchase GrayKey?

GrayKey is available in select countries around the world. Simply fill out the form on this page to connect with a Magnet Forensics sales rep to learn more.

Can I Purchase Magnet AXIOM at the Same Time?

Yes! By getting AXIOM and GrayKey together, you’ll have the best solution on the market for investigating iOS devices. Learn all about how they work together here. 

Where Can I Go to Learn More about How GrayKey and AXIOM Work Together?

We have many resources available to show you how AXIOM helps you get the most out of your GrayKey images:

• Maximizing the Partnership Between GrayKey and Magnet AXIOM
• Loading GrayKey Images into Magnet AXIOM
• Analysis of GrayKey Images with AXIOM: New KnowledgeC Database Artifact Additions
• Analyzing GrayKey Images with AXIOM: New Artifact Parsing Capabilities
• Getting Evidence from iOS Screen Time Artifacts

How Do I Start?

To get started, fill out this form. A Magnet Forensics rep will follow up with more information and to qualify your request. For any other questions, please email sales@magnetforensics.com for more information.

The post How to Get GrayKey from Magnet Forensics appeared first on Magnet Forensics.

Magnet Forensics and Grayshift have partnered to provide law enforcement the tools they need to acquire and process the most data from iOS devices. This partnership is a result of our joint mission to help our law enforcement customers seek justice and protect the innocent. 

For many years law enforcement agencies have struggled to acquire important information from these devices. While GrayKey has allowed us to potentially brute-force the passcodes, it also enables Examiners to acquire more data than any other solution on the market and then review in a tool such as Magnet AXIOM.

There are several different types of images that can be generated by GrayKey, including BFU or Before First Unlock, AFU or After First Unlock, or Full Filesystem images. Regardless of which type of image an examiner can acquire, each type can be ingested into Magnet AXIOM and processed for information.

In order to load the images into Magnet AXIOM, users only need to select “Mobile -> iOS -> Load Evidence -> Images” from the Evidence Sources area of AXIOM Process.

Once the evidence selection screen loads, users can select any of the image format types generated by the GrayKey for processing. These images are stored by the format “<udid>_files_<image type>.zip” which will tie back to the Unique Device Identifier of the iOS device in question. The type of image will reflect if this image is a BFU, AFU, or File System image acquired from the GrayKey device.

Once a File System image has been selected and loaded, users will be able to selectively pick any or all areas of the file system they want AXIOM to be able to scan for information. This helps users who are low on time or simply looking for very specific artifacts in the file system.

The only difference in loading GrayKey data is around loading the keychain data which will include exportable and non-exportable values for review. In order to load the keychain, users need to follow a similar procedure as the images, but instead of selecting “Images” they will select “Files/Folders” and direct AXIOM to the “udid_keychain.plist”

Once all of your selected GrayKey data is ingested into AXIOM, examiners can then decide which artifacts they wish to scan and even use advanced features such as AXIOM’s Dynamic App Finder or Custom Search by File Type in order to locate additional data with the images to find relevant evidence in.

Once the information has been loaded into Magnet Examine, there is a wealth of artifacts that Magnet has recently added to the product to maximize the information available to users. In this blog, we will detail several important artifact pieces you can expect to find in these images.

Write Ahead Logs

GrayKey can obtain a full-file system image of the device which means that temporary or support files that exist with our standard artifacts are now available for review. A prime example of this is the sms.db-wal file that lives in the same directory as the sms.db. The sms.db allows examiners to recover and parse iMessages, SMS messages, and MMS messages. However, because this database utilizes the “write ahead log” functionality of SQLite, messages are in fact written to the sms.db-wal file before being committed into the main sms.db. This can cause issues in recovering potentially deleted messages depending upon how long the messages were on the device before being deleted. If messages are deleted as soon as they are sent/received it’s much less likely to be able to recover these messages from a standard iTunes style extraction. However, since GrayKey allows us to extract the full file system, we now have access to this file and AXIOM will attempt to carve for any traces of messages left behind in the write ahead log including potentially deleted messages.

In the above examples, you can see some examples of a message that have been recovered from the write ahead log of a sms.db and how AXIOM can still link much of the information back together including timestamps, directionality, and use Connections to map communications between users. The write ahead log recovered messages are also still part of the chat threading options in AXIOM so users can see these data points threaded out in a chronological view for reviewing.

Third-Party Application Data

In standard iTunes-style backup images developers can be very selective about what from their applications they want to include. Prime examples of this include Facebook, Instagram, and Twitter who don’t include key files into these backups. Since AXIOM gets access to the full file system from GrayKey images, this third-party application data is available to us again. Some brief examples in AXIOM are Facebook Messenger messages, Instagram Direct Messages, and Twitter Tweets.

This also gives the examiner a chance to dig deeper into applications that aren’t normally processed by artifacts such as this example showing the recovery of data for the DJI Go application.

Apple Mail

The Apple Mail application (Mail.app) has been frustrating many forensic examiners since the days of the iPhone 4 as it’s information has not been available since then.  Apple protects the Mail.app data at some of the highest levels of the file system, therefore this information will only be available in a Full File System image once the passcode has been determined.

Once found, AXIOM Examine will display the saved to/from, subject, date sent, date received, summary, and read status of emails that are recovered from this application. These mails can provide valuable communication points but can also inform an examiner about other services that they may need to look for.

In addition to the data found within the Mail application, AXIOM Examine may also recover artifacts known as Apple Mail Fragments from different sources even if a full filesystem isn’t available. These fragments can help examiners key in on email addresses being used on a device in order to launch investigations from the service provider’s end while waiting for the device password to be recovered in order to obtain all of the data from the device. For example, these email fragments may be recoverable from a process memory image generated by GrayKey from a device in the After First Unlock (AFU) state.

Web Cache and App Cache

In addition to recovering standard Safari data, these file system images allow us to recover additional web data such as Safari App Cache information. Since the web cache can give us some context as to what users are viewing on URLs, this information can become very valuable in certain case types where users are viewing illicit material online.

The App Cache artifact can allow examiners to see what is being stored within the cache for specific artifacts. Since applications typically have built-in browsers but don’t store many logs of web history for those browsers, this may give an examiner a chance to recover information that was found when clicking on a link inside a third-party application.

Operating System Data – KnowledgeC

The Operating System category within AXIOM Examine has many artifacts available exclusively to these file system images. One such great example is the KnowledgeC artifact set. These artifacts can help to determine a pattern of usage of an application or a user in general by looking at multiple artifacts to map out such activity.

Operating System Data – Network Usage

The Network Usage artifacts under the Operating System category allows examiners to see Wireless access points the users have communicated on as well as cellular towers users have sent data to. The Network usage – Connections artifact will display the Cell ID or MAC Address depending on the type.

The Network Usage – Application Data artifact works a lot like Windows SRUM. This artifact allows examiners to see which processes have used data, how much data, and over what connection types including WiFi, Cellular, and Wired. If a user claims they have never used an application, searching for the application ID can help to prove or disprove this and show exactly how much data has been sent across the networks. Note: this information can be reset by a user clearing their Usage statistics on their settings so it’s not a complete history since the device was first powered on.

Operating System Data – Screen Time

New to iOS 12, the Screen Time data that is generated by iOS allows examiners to track within 1-hour intervals how much an application was used, how many notifications it generated, and how many times the device was picked up due to this application. This information can be incredibly valuable but is a key reason why devices must be acquired immediately upon seizure.

Location Data

There are multiple points of location data storage within modern iOS devices. Cached locations and Frequent Locations can be incredibly relevant in helping to determine a location or region that a user has visited. Other information such as Apple Pay transaction data can also be viewed within AXIOM Examine’s World Map View in order to map out these location points to make sense of a user’s activities.

Keychain Data

The data stored within the keychain files generated by the GrayKey will store both exportable and non-exportable values. This means that there will be data within the GrayKey generated keychains that will not be available from keychain entries from encrypted iOS backups. These can include Wireless Access Points stored as “AirPort” entries with their SSIDs and passcodes, Backup passwords for encrypted backups, and tokens for multiple services the user has interacted with on this device. The Internet Passwords artifact will store information passed into the Keychain from using the Safari browser and can even pass information from one iOS device to another or to a MacOS device. This can allow users to recover usernames and passwords for cloud-based sources and with proper legal authority acquire them using a service such as AXIOM Cloud.

Process Memory Image Analysis

By processing the images of Process Memory generated by GrayKey, AXIOM will be able to carve information stored within the process memory of AFU (after first unlock) devices. This can include information that may have been deleted from the file system. These images are acquired from the GrayKey device and will be named “<udid>_mem.zip” and can be loaded into AXIOM Process the same way as any other image. Once loaded, AXIOM will automatically attempt to carve for records including web related, chat, email, media, and more. The below example shows some of the information that was carved from a process memory image including iMessage/SMS messages, mail fragments, call logs, and refined results such as Google Searches that were performed.

Wrap-Up

The team at Magnet Forensics has spent a lot of time recently diving deep into the images provided by the team at Grayshift. We have taken this research very seriously and have been working hard in order to provide new and exciting artifacts to the forensic community to make parsing through the massive amounts of data available easier. With this new partnership, Magnet Forensics and Grayshift are dedicated to helping our customers have the easiest and most powerful tools at their disposal when dealing with iOS devices.

Stay tuned for some additional exciting artifacts coming your way very soon!

The post Maximizing the Partnership Between GrayKey and Magnet AXIOM appeared first on Magnet Forensics.

We at Magnet Forensics are pleased to announce our partnership with Grayshift. At the core of this partnership is a shared commitment to helping law enforcement agencies seek justice and protect the innocent.

Citizens may not realize, but the technologies that allow us to socially connect and conduct commerce with the touch of a smartphone have also created complexities for law enforcement agencies as they investigate crimes such as human trafficking, child sexual exploitation, homicide and virtually every type of crime today where a smartphone can be involved. In some instances, the very fact that critical evidence resides on a smartphone has led investigations to a dead end. This is the unfortunate reality, even when police agencies have a court-order to review such evidence. 

To date, there have been limited options for law enforcement to address this challenge. 

We hear regularly from digital forensic investigators and police leaders that the existing mobile forensics solutions have created challenges for law enforcement agencies in terms of containing their cost, getting to critical digital evidence in a timely fashion, and preserving chain of custody. Some have expressed deep concern with the idea of having to pick and choose which cases get to have digital forensic examinations due to the cost of a mobile forensics examination. In other instances, we have heard questions arise about the chain of custody in cases where smartphones have to be shipped, sometimes abroad, to be unlocked for examination.

Addressing these challenges are central to the technology partnership of Magnet AXIOM and GrayKey.

A Commitment to Law Enforcement and Helping Uphold the Rule of Law

Magnet Forensics has always made it our mission to help law enforcement agencies use every lawful tool at their disposal to find the evidence that can save lives and convict or exonerate suspects. Ultimately, finding the truth is core to our purpose and technology.

The partnership between Magnet AXIOM and GrayKey will give digital investigators the ability to acquire, analyze and report on lawfully acquired digital evidence from iOS devices. We are allowing agencies to utilize these tools in their labs, saving them time and preserving chain of custody. We believe that all cases with critical digital evidence should have access to the digital forensics lab when the agency has the proper authority to review such evidence.

The partnership between Magnet Forensics and Grayshift goes beyond an obvious technological fit and need for mobile forensics options that address current gaps. As we have gotten to know the team at GrayKey, we have learned that at our cores, we share a commitment to law enforcement agencies in their pursuit of justice and upholding the rule of law.

Read more about the partnership between Magnet Forensics and Grayshift here. 

The post Magnet Forensics and Grayshift, Partnering to Preserve Justice appeared first on Magnet Forensics.

We’re bringing Magnet User Summit 2019 to The Hague on May 15 and registration is now open!

Magnet User Summit 2019 is a chance for customers and partners to come together and learn about the latest in digital forensics and digital evidence management.

Taking place in The Hague, Netherlands at the Hague Marriott Hotel, the Magnet User Summit is a one-day conference that provides an opportunity to hear about the latest trends in digital forensics and to take part in hands-on labs that will give you a unique opportunity to go in-depth with Magnet Forensics products. We’ll also offer the chance to relax and enjoy some refreshments at our networking event.

And fresh off our recent partnership announcement, Grayshift, the makers of GrayKey, will be joining us to talk about being the leader in iOS acquisitions and how, when paired with the analysis capabilities of Magnet AXIOM, it makes an unbeatable combination for law enforcement.

Find More Information and Register 

Visit www.magnetforensics.com/mus2019thehague/ to save your spot for the event and to get all the details you need — including the full event schedule.

We hope to see you there!

The Magnet Forensics Team

The post Magnet User Summit 2019 is Coming to The Hague! appeared first on Magnet Forensics.

The latest version of Magnet AXIOM is now available for customers to download! Either upgrade in-app, or head over to the Customer Portal to download AXIOM 2.10.

The latest version of Magnet AXIOM is now available for customers to download! Either upgrade in-app, or head over to the Customer Portal to download AXIOM 2.10.

In this release, we’ve focused on artifacts. We’ve introduced Slack for iOS and Android as well as the Microsoft Outlook app, also for iOS and Android. Learn more about these new artifacts below and see what else we’ve updated in AXIOM 2.10.

If you’re not already using AXIOM and want try AXIOM 2.10 for yourself, request a trial today.

New Artifacts

• Slack​ (Android and iOS)
  • With over 10 million installs on Android devices alone, Slack has become a very popular communication tool within the business community. The new Slack artifacts will recover channels, channel messages, direct messages, files, users, and workspaces.​
• Microsoft Outlook​ (Android and iOS​)
  • Microsoft Outlook has become a popular replacement for native mail applications on mobile devices, supporting both Microsoft Mail services as well as other personal email accounts.  New artifacts are available that capture Outlook email, calendar events, and contacts from Android and iOS.
• Installed Applications (iOS — GrayKey)​
  • Previously only available when using an iTunes backup, this artifact will also provide a list of Installed Applications when processing a GrayKey image.​
• Samsung Browser Bookmarks​ (Android​)

Updated Artifacts

Windows:

• Viber
  • Viber Chat Messages for version 9.2+

Android:

• Skype Lite​
• SMS / MMS Messages​
  • Attempts to map a name from the device contacts to the number used in the message, helping you better read and interpret message threads

iOS:

• Private Notes
  • Recover and decrypt password-protect notes on Apple devices
• iOS Device Information​
  • Enhanced to provide additional details from the iOS devices ingested using a quick acquisition

All Platforms:

• Webkit Refactor​
  • AXIOM will now provide a clearer picture of which application generated a link to a website by organizing results into more specific browser-based artifacts wherever possible
• Password Recovery​ (Google Cloud​)
  • Passwords can be once again recovered from Google using AXIOM Cloud after a temporary break due to a change made to the Google website
• Image Attachments in Chat Threads​ (Android/iOS​)
  • Fixed an issue where images were no longer appearing in chat bubbles. This has been resolved and images will now appear in chat bubbles, as well as reports generated from conversation views
• GZIP Archive Format
  • GZIP files, a commonly encountered archive format, are now supported in AXIOM

If you’re already using AXIOM, download AXIOM 2.10 over at the Customer Portal. If you want to see how AXIOM 2.10 can give you a better investigative starting point, request a free 30-day trial today!

In this release, we’ve focused on artifacts. We’ve introduced Slack for iOS and Android as well as the Microsoft Outlook app, also for iOS and Android. Learn more about these new artifacts below and see what else we’ve updated in AXIOM 2.10.

If you’re not already using AXIOM and want try AXIOM 2.10 for yourself, request a trial today.

New Artifacts

• Slack​ (Android and iOS)
  • With over 10 million installs on Android devices alone, Slack has become a very popular communication tool within the business community. The new Slack artifacts will recover channels, channel messages, direct messages, files, users, and workspaces.​
• Microsoft Outlook​ (Android and iOS​)
  • Microsoft Outlook has become a popular replacement for native mail applications on mobile devices, supporting both Microsoft Mail services as well as other personal email accounts.  New artifacts are available that capture Outlook email, calendar events, and contacts from Android and iOS.
• Installed Applications (iOS — GrayKey)​
  • Previously only available when using an iTunes backup, this artifact will also provide a list of Installed Applications when processing a GrayKey image.​
• Samsung Browser Bookmarks​ (Android​)

Updated Artifacts

Windows:

• Viber
  • Viber Chat Messages for version 9.2+

Android:

• Skype Lite​
• SMS / MMS Messages​
  • Attempts to map a name from the device contacts to the number used in the message, helping you better read and interpret message threads

iOS:

• Private Notes
  • Recover and decrypt password-protect notes on Apple devices
• iOS Device Information​
  • Enhanced to provide additional details from the iOS devices ingested using a quick acquisition

All Platforms:

• Webkit Refactor​

AXIOM will now provide a clearer picture of which application generated a link to a website by organizing results into more specific browser-based artifacts wherever possible

• Password Recovery​ (Google Cloud​)

Passwords can be once again recovered from Google using AXIOM Cloud after a temporary break due to a change made to the Google website

• Image Attachments in Chat Threads​ (Android/iOS​)

Fixed an issue where images were no longer appearing in chat bubbles. This has been resolved and images will now appear in chat bubbles, as well as reports generated from conversation views

• GZIP Archive Format

GZIP files, a commonly encountered archive format, are now supported in AXIOM

If you’re already using AXIOM, download AXIOM 2.10 over at the Customer Portal. If you want to see how AXIOM 2.10 can give you a better investigative starting point, request a free 30-day trial today!

The post Slack and Microsoft Outlook Among the New and Updated Artifacts in Magnet AXIOM 2.10 appeared first on Magnet Forensics.

An updated version of the free Magnet AXIOM Wordlist Generator tool is now available for download.

The long-standing roadblock to examiners when dealing with iOS devices, has been the device’s handset lock code. There are several types of passcodes that an examiner may come across when dealing with an iOS device including:

• 6-Digit Numeric Code
• 4-Digit Numeric Code
• Custom Numeric Code
• Custom Alphanumeric Code

When dealing with devices running 4 or 6 digit PINs, a standard brute-force style attack is usually feasible. In 4-digit codes you would be facing 10,000 possible combinations while 6-digit codes ramp the difficulty up to 1,000,000 combinations.  The true test comes when devices are utilizing a custom numeric or alphanumeric passcode. In this case, users can specify how many characters they’d like to use.

Apple has more recently helped its users by “assisting” them in picking a more complex passcode. If a user tries to set a 1-3 digit custom numeric passcode, Apple warns the user that the passcode is too easy and will not allow them to set it. Once the user specifies a 4-digit passcode, it still recommends that the passcode could be easily guessed, but will allow the user to use it.

With the release of GrayKey, brute-forcing these custom numeric and alphanumeric passwords became possible to examiners again, however these tools require a good word list in order to be successful. Since AXIOM has the ability to generate wordlists from generated cases, we quickly realized how our recent partnership could take this one step farther to help out the forensic community.

With AXIOM Wordlist Generator 1.1, we can not only continue to export wordlists from generated AXIOM cases, but now can actually optimize those wordlists for use with the GrayKey device. The logic that it follows will walk through the wordlist and reorganize it, prioritizing on the words that meet the following criteria:

1. Numbers only, 4-6 characters
2. Letters and numbers only, 4-8 characters
3. English dictionary words, 4-8 characters
4. Everything else

This will allow user to target more likely possibilities first, but still eventually working their way through all of the words recovered from the AXIOM Wordlist Generator.

So how can we as examiners maximize the data we’re using? Simple. We think about how people use passcodes. Even a security-minded individual may use the same passcode or PIN on more than one service of site. Especially seeing as this key may need to be entered multiple times per day to unlock a device, users will likely choose something they can easily remember as well. In order to generate a great wordlist, examiners simply need to turn to the artifacts that AXIOM already handles! Some examples of great source data include:

• iOS Keychain Data
  • Keychain data extracted from AFU or BFU devices make a GREAT wordlist piece as any saved passcodes from the device may be duplicated for the user’s lock code.
• Web Related Form/Login/Autofill Data
  • Saved form data from modern browsers may contain valuable information about where our user logs in.
• Cloud-Stored Passcodes
  • If an examiner can gain access to a user’s cloud account from the acquired keychain data using the GrayKey they may be able to extract all of the stored passwords as well.
• Documents
  • Users may keep passwords in documents or databases on their system as opposed to the old-school “sticky note” that could contain passwords or valuable dictionary words.

Simply put, run ANY available evidence in your case (computers, other mobile extractions, USB drives, cloud data, etc.) through AXIOM in order to generate as complete of a wordlist as possible.

To enable the AXIOM Wordlist Generator (or AWG as many examiners lovingly call it) functionality for GrayKey optimization, simply press the checkbox in the main interface. This will still pull all the recovered words out into a list, but will reorganize them by the logic previously mentioned above. This job runs at the end of the wordlist export, so it will add a small amount of time to the end of the AWG text file generation.

Once your text file is generated, simply load the list into the GrayKey interface and allow it to run through your wordlist! We hope this new functionality will continue to empower the community to gain access to devices when it is needed and look forward to hearing any feedback!

The post Utilizing AXIOM Wordlist Generator to Optimize Handset Lock Code Breaking appeared first on Magnet Forensics.

We’re pleased to announce a new solution for digital forensics labs to get the most out of their forensics tools: Magnet AUTOMATE. AUTOMATE allows labs to complete their investigations faster by powering a repeatable forensic workflow that minimizes downtime and maximizes efficiency.

At Magnet Forensics, we’ve been aiming to help digital forensics labs focus their energies on the tasks that require their expertise—such as analysis and review—rather than the repetitive and clear-cut jobs like imaging and process.

Magnet AUTOMATE lets labs orchestrate a repeatable workflow with Magnet AXIOM and any other commercial tool or custom script that has a command-line interface. This new standardized workflow eliminates hours of downtime between each step in the investigation and can deliver evidence within 48 hours on every case. 

How Magnet AUTOMATE Works

With the AUTOMATE control panel, examiners can visually map out a workflow—containing multiple tools, python scripts and simple java applications—into a set of repeatable steps to be taken for each case type.

Once your workflows are designed, Magnet AUTOMATE leverages existing lab hardware and server space to process evidence 24/7. AUTOMATE can also run on multiple workstations simultaneously, enabling examiners to complete investigative steps in parallel. This means that things like processing with custom scripts and creating exports from your AXIOM case can be done automatically instead of requiring examiners to come into the lab—an interaction that sometimes halts progress and create hours of delays.

The whole workflow is customizable to maximize the benefit to the team at hand, all while allowing for proper procedures that follow specific industry standards.

All told, AUTOMATE has been shown to help complete up to six times more cases and deliver evidence for review within 48 hours.

“Our Team is Completing More Cases”

A large metropolitan UK police agency have seen results with AUTOMATE. As a Senior Digital Forensic Specialist for the organization says:

“Magnet AUTOMATE enables our team to deliver a guaranteed service level for all child abuse cases, according to a management-approved workflow, Because time-to-evidence is now guaranteed inside 48 hours, investigators can identify and act on relevant material quickly, examiners are freed from repetitive tasks, and our computing power is being utilized 24 hours a day, 7 days a week. Our team is completing more cases—in less time and at lower cost—so we can focus our efforts on the challenging areas that require our expertise.”

Learn More about Magnet AUTOMATE

Think your lab may benefit from Magnet AUTOMATE? Head over to our Magnet AUTOMATE page to learn more about the solution and to request more information.

We’ll also be hosting a special webinar on Tuesday, April 16 at 11:00AM & 1:00PM ET where we’ll go in depth on AUTOMATE and answer any and all questions you may have during a live Q&A. Register for the webinar here.

The post Announcing Magnet AUTOMATE, a New Solution to Help Labs to Complete Investigations Faster appeared first on Magnet Forensics.

We’re excited to release the most powerful and comprehensive version of Magnet AXIOM: Magnet AXIOM 3.0. With AXIOM 3.0, we’re giving you the ability to recover digital evidence from more sources than ever before (including Mac computers and new cloud sources), a powerful and intuitive new Timeline view, and much more. Find out more about what’s included in Magnet AXIOM 3.0 below and watch a video announcement from our VP of Product Management, Geoff MacGillivray here:

If you’re currently using Magnet AXIOM, you can download the update within AXIOM or in the Customer Portal now. If you haven’t tried AXIOM yet, request a free 30-day trial here.

New in Magnet AXIOM 3.0: Mac Support

With AXIOM 3.0, we’ve introduced the ability to search and recover data from Apple products running macOS. AXIOM can now support decrypting FileVault2-encrypted drives, containers, and volumes, as well as support for parsing artifacts from APFS sources and traversing the File System explorer in AXIOM.

And, in keeping with our artifacts-first approach, we have also added more support for relevant macOS artifacts, including support for parsing user accounts information, FSEvents, connected devices, MRUs and the KnowledgeC database.

Go deeper into our Mac support in this how-to document.

A New Way to Look at Timeline

Looking at evidence through a time lens is one of the most common ways to understand a case, so with that in mind, we’ve greatly improved Timeline to provide you with a dedicated explorer to help you visually understand all timestamped artifacts and file system data in one view. The evidence can be easily filtered and sorted by date/time ranges, specific artifacts/items of interest, and keywords to help making review and analysis easier.

See the new Timeline in action in this how-to article and video.

Get Evidence from New Cloud Sources

With Magnet AXIOM 3.0, we’re incorporating open web data, self-serve data services, and warrant return data from social networks—allowing for building stronger case and drawing correlations between various pieces of evidence.

Facebook Warrant Return Packages

During an investigation, law enforcement may serve cloud service providers—such as Facebook—with a warrant, requesting information on a specific user. To comply with these requests, the service provider will typically return a digital package of evidence for law enforcement to review which includes artifacts for Facebook Messenger conversations, friends, and audit history.

AXIOM can now scan HTML-based warrant return packages from Facebook and identify useful artifacts for investigators.

Facebook “Download Your Info” Packages

Thanks to the General Data Protection Regulation (GDPR) law in the E.U., all online services that store personal user data have had to add features that allow users to download their personal information. These features provide a valuable new data set for law enforcement to work with as evidence when available. ​Investigators interested in using Facebook’s “Download My Data” feature in AXIOM should utilize the JSON format option from Facebook.

Like the existing Google Takeout capability, this feature will add support for scanning packages from Facebook to specifically pull out artifacts of interest.

Read more about our updates to Facebook here.

Public Twitter Without Credentials

You can now acquire data publicly available from Twitter without having to require the user’s credentials. This includes public-facing tweets from the user, as well as information on who the user is following, and who they follow—information that does not require a warrant.

Learn more about the capabilities of acquiring public Twitter information in this blog.

Slack

Slack has become a hugely popular collaboration platform for employees to easily communicate with individuals or teams using direct messaging.  ​

Corporate investigators, with the account credentials of a suspect, can now acquire and analyze communication data directly from Slack—including public channel discussions and private chat data. ​

Learn more about Slack support in AXIOM 3.0 here.

Media Categorization Enhancements

We’ve furthered our media categorization capability with our increased compatibility with Project VIC/CAID hash sets. Our redesigned media categorization makes it even easier to focus your investigation on the data that is important to you using Project VIC and CAID data.

See for yourself how we’ve updated media categorization in this blog and how-to video.

Dynamic App Finder Improvements

Dynamic App Finder continues to be a valuable tool for examiners and with AXIOM 3.0, we’ve worked to find and report content of interest in databases on smartphones more reliably. This includes scanning database content for:

• Date/Times ​
• Geolocation data (coordinates)
• Street addresses
• References to countries/states/provinces/postal code/zip codes
• Email addresses
• Phone numbers
• URLs/URIs​

Magnet.AI Performance Improvements

AXIOM 3.0 massively enhances the performance with which images are scanned leveraging Magnet.AI, now allowing for scanning images at a rate of up to or exceeding 25 images per second (when leveraging a GPU).

In addition to increasing the throughput, we have also increased Magnet.AI’s accuracy—making Magnet.AI an even more valuable tool to use in investigations.

New & Updated Artifacts

New MacOS Artifacts

• OS Information
• FSEvents
• User Accounts
• Login History
• Daily.out
• Trash
• Network Profiles
• MRU Files
• KnowledgeC
• USB Devices
• Startup Items
• Bluetooth Devices
• Bash Sessions
• Quarantined Files
• Connected Volumes
• Spotlight Shortcuts
• Installed Applications
• Finder Sidebar Items
• iMessage
• Mail
• Network Interfaces
• Custom Menu Items
• Dock Items
• Calendars (iCS)

New Mobile Artifacts

• Discord (iOS/Android)
• Android Keystore (Android)
• TikTok (iOS/Android)

New Cloud Artifacts

• Slack
• Facebook Warrant Return
• Facebook Download Your Info
• Public Twitter

Artifact Updates

• Slack (iOS/Android)
• Kik (Android)
• Usage History (Android)
• Gmail (Android)
• Telegram (Android)
• Chrome (Android)
• KakaoTalk (Android)
• Messages (iOS)
• WeChat (iOS)
• Grindr (iOS)
• iOS Device Info (iOS)
• Uber (iOS)
• Application Install States (iOS)

If you’re already using AXIOM, download AXIOM 3.0 over at the Customer Portal or within AXIOM. If you want to see how AXIOM 3.0 can give you a better investigative starting point, request a free 30-day trial today!

Want to see the new features in Magnet AXIOM 3.0 in more depth? We’ll be hosting a webinar on April 9 for the America, Europe, Africa, and the Middle East and another on April 10 for Asia-Pacific, covering all of the new features in Magnet AXIOM 3.0, and showcasing how you can use them to get find more evidence that matters in your investigations.

The post Find More Evidence That Matters with Magnet AXIOM 3.0 appeared first on Magnet Forensics.

For the past six years, we’ve been extremely honored to get to win in the Forensic 4:cast awards— especially getting Digital Forensic Organization of the Year for the past two years! The awards are important to us here at Magnet Forensics because you take time out of your day to recognize us for creating products that are helping you do important work.

This year, we’re approaching the awards a little differently.

Lee Whitfield, the organizer of the Forensic 4:cast awards, works extremely hard to recognize those that stand out in the community—and we want to support him in that mission.

So, while we hope we can count on your nominations for DFIR Commercial Tool of the Year (we’re particularly proud of Magnet AXIOM 3.0—check it out if you haven’t already!), we wanted members of the DFIR community to get the recognition they deserve.

Over the next few weeks, some of our in-house forensics experts will share their picks for nominations. Hopefully, you’ll get to check out some practical information and interesting insights from some of the top experts in the field. Keep an eye on our blog throughout April for our Forensic 4:cast choices.

Thank you again to everyone for the support over the years. We can’t wait to see what the Forensic 4:cast Awards hold this year! If you want to get your nominations in now, head on over to https://forensic4cast.com/forensic-4cast-awards/ and post them today!

Jad Saliba
Founder & CTO

The post Our Nominations for This Year’s Forensic 4:cast Awards appeared first on Magnet Forensics.

With Magnet AXIOM 3.0, we’re excited to expand your computer investigations with support for APFS and Mac artifacts—but that’s just the beginning!

We’re continuing to work hard to add even more macOS capabilities in upcoming AXIOM releases, in addition to the ability to decrypt FileVault2 images, we’ve added artifact support for parsed user accounts information, FSEvents, connected devices, MRUs and the KnowledgeC database.

We want to share some insight to what‘s in store for Mac support. Keep in mind that AXIOM updates come every month, so the information you need to support your Mac investigations is not far away.

Extended Attributes (xattr)

In macOS investigations, extended file attributes can provide the examiner with a wealth of information about a file of interest. Extended attributes are extra metadata about a specific file that goes beyond normal file system metadata, and can include information such as quarantine data, author, origin URL, and downloaded date/time.

Over the next few releases of Magnet AXIOM, we will be adding support for macOS extended attributes, such as the kMDItemWhereFroms, providing examiners more context as to how a file arrived on the system, whether it be from a web download, or via AirDrop.

Other Important Artifacts Coming Your Way

We will be adding artifact support for the macOS office suite, iWork in Magnet AXIOM. This includes files made from the word processing application Pages, the presentation application Keynote, and the spreadsheet program Numbers. In upcoming releases, AXIOM will identify these documents and present them as an artifact for easy review.

Additionally, we will be adding support for Contacts in macOS. This artifact can provide valuable information such as names, phone numbers, addresses, and contact photos, and can add an extra layer of analysis when using Connections between different evidence sources.

The Quick Look Thumbnail Cache is a useful feature in macOS to give the user a preview of files in the file system. Soon, Magnet AXIOM will parse this cache and present the examiners with these thumbnails as an artifact.

Similar to our support for iOS keychain, we will soon add the same support for the macOS keychain as well! Our artifacts view will quickly display any passwords identified from applications, websites, or other services stored in the macOS keychain.

Future Enhancements on Our Horizon

In future versions of Magnet AXIOM, we are looking at tackling the challenge of data carving unallocated space in macOS, even though certain difficulties arise when dealing with these artifacts—such as decrypting unallocated space after a user password change.

Furthermore, we are currently in the research phase of support for APFS Snapshots. Found in macOS High Sierra and later, APFS snapshot data can add tons of value to your investigation, such as recovering deleted or old version of files no longer found in the current snapshot due to accidental, intentional, or malicious means.

Finally, something that corporate customers can especially look forward to is added support for Institutional Recovery Keys (IRKs) for decryption of FileVault encrypted endpoints in your organization. Unlike personal recovery keys, IRKs are key files that act as encryption/decryption keys for FileVault data, typically seen in enterprise environments.

Magnet AXIOM and Our Commitment to Innovation

Remember, we release our updates monthly to provide you with our most current support available. Be on the lookout for future releases of Magnet AXIOM to get the most out of your MacOS examinations. If you have any questions or recommendations of artifacts to include in future releases, please don’t hesitate to contact me at trey.amick@magnetforensics.com.

The post What Upcoming Mac Artifacts and Features You Can Expect appeared first on Magnet Forensics.

In this series, a few forensics experts within Magnet Forensics are sharing their suggestions for nominations in this year’s Forensic 4:cast Awards. In this first installment, Jessica Hyde, Director of Forensics, highlights people in the DFIR community who are making valuable contributions. You can submit your nominations (including Magnet AXIOM for DFIR Commercial Tool of the Year) here.

For those unfamiliar, every year, Lee Whitfield puts on the Forensic 4:cast awards. Lee does this as a community event with both a nomination and a voting phase. One of my favorite part about the nomination phase is that you can nominate as many folks, projects, tools, etc. as you want for any category! You can read the the rules and categories here.

Now, when it comes to final voting, you can only vote once—so that is where I lose sleep. The 4:cast awards are a great opportunity to recognize the people, teams, and organizations that have made amazing contributions to the community. But for now, you can nominate ALL THE THINGS here!

Magnet Forensics is providing an opportunity for some of us share our personal recommendations for nominations. I am so happy to do so. These are my personal nominations and not Magnet’s.  Please note, I will not address every category, but just some of the ones where I would like to share around some people I have nominated and hopefully to inspire some of you to nominate as well or at least introduce you to sources, project, and forensic practitioners you may not know.

One of the most important things to note is that these nominations are for work done in 2018. This eliminates some really cool projects and work in 2019, like Eric Zimmerman’s KAPE tool, Blanche Lagny’s paper “Analysis of the AmCache”, and all of the resources put out by Joshua Hickman—both the blogs and the data sets . These are totally on my list for next year!

On to my suggestions for nominations this year! Please feel free to nominate these or share your thoughts. Just because someone isn’t listed here does not mean that I do not appreciate and love their work. Thank you all so much to your contributions to the community.  I am a big proponent of sharing in DFIR. I can’t wait to see what the community brings in 2019!

DFIR Non-Commercial Tool of the Year

APOLLO by Sarah Edwards — As more examiners have access to full file system images, Sarah’s release of Apple Pattern of Life Lazy Outputer’er (APOLLO) which helps decode data from a variety of iOS databases including knowledgeC.db is an incredible tool for use on iOS cases. It has further capabilities to be used on devices outside of just iOS.

Volatility — With continued updates and plugins, this tool is totally indispensable for memory analysis. Memory analysis is a critical portion of forensic analysis and can be used to target your file system analysis, triage while still imaging, and recover artifacts that only live in memory.

DFIR Show of the Year

Forensic Lunch by David Cowen and Matt Seyer — The duo continues to bring the newest information to the community on a regular basis with both looks at tools and people who are contributing to the community.

Forensic Lunch Test Kitchen by David Cowen — David provides a look inside in-depth testing. This show has inspired the community to delve into further testing and understanding of artifacts and their creation. Forensic Test Kitchen is an amazing way to understand the methodology behind testing and validation and learn as a community. Thanks, Dave, for letting us inside your screen and head! It is the same link as the Forensic Lunch, so guessing that Lee may wrap these up as one.

Digital Forensic Survival Podcast (DFSP) — Every week Michael shares something with us that is useful. This could be anything from a deep dive into a specific artifact to a digital forensic technique.  If you aren’t listening, you should! New episodes come out every week.

DFIR Blog of the Year

Initialization Vectors by Alexis Brignoni — Alexis drafted 33 posts, mostly related to mobile device forensics, throughout the year. Many of these prove critical to investigations and have associated scripts that were highly usable for forensic examiners.

ThisWeekIn4n6 by Phill Moore — This blog lets the community know what other blogs we should be reading this week and all of the critical information we need in the ever-changing landscape of digital forensics. I regularly use this cite as a reference to find past articles on topics. How Phill is able to find everything, I will never know.

HECFBlog by David Cowen — David contributed nearly a blog a day for the entirety of 2018. In addition to the continual daily posts, this blog encouraged the community to do further testing through Sunday Funday challenges and sharing of the results. This spawned other forensic practitioners to create their own blogs in response to the challenges. 

DFIR Book of the Year

SQLIte Forensics by Paul Sanderson — This is everything you want to know about SQLite and how to conduct forensics on the data within. This is indispensable for mobile investigations as there are so many SQLite dbs across Android and iOS that regularly need to be parsed by the examiner because the applications are not supported by commercial tools.

Investigating Windows Systems by Harlan Carvey — Harlan’s book allows the user to get inside the mind of an investigator and understand more than just the data that lives in a registry key or an artifact from a file system, but the methodology behind how an examiner analyzes evidence and pivots throughout the investigation.

DFIR Article of the Year

“A forensic examination of the technical and legal challenges surrounding the investigation of child abuse on live streaming platforms: A case study on Periscope” by Graeme Horsman — This paper discusses both the issues with forensic investigations of streaming platforms as well as methodologies. This is critical work as we move forward.

DFIR Social Media Contributor of the Year

Brett Shavers – Brett not only shares a slew of material that he creates, but also discusses and amplifies messages from the community.  He regularly provides context to the information shared by others.

Jake Williams (aka Malware Jake) — Jake’s brand of sharing on social media is unmatched in both true discussion of current events that impact our field and in terms of clever depiction of animal videos as they pertain to information security. Jake is not afraid to have a real discussion full of unpopular opinions to ensure that the truth is illuminated.

DFIR Undergrad, Graduate, or Training Class of the Year

SANS FOR 518 by Sarah Edwards — I took this class in 2018 and was amazed by the sheer amount of knowledge that was bestowed. She updated the course to reflect the changes in APFS and ensured that the practical was valuable. Walking out of that class you have skills that can be used for a lifetime.

DFIR Groundbreaking Research of the Year

Grayshift — The development of GrayKey allows for Law Enforcement to have access to parts of iOS devices that has not been seen since the Boot Rom Vulnerability days. This has been truly groundbreaking work that has provided access to data to a variety of devices unseen.

Maxim Suhanov — Maxim has done an unprecedented amount of research in 2018. This includes everything from work on Last Access timestamps in NTFS to deep registry analysis. His work has been truly groundbreaking in the field.

Steve Watson and crew of VTO Labs — Steve Watson and his team did incredible research surrounding Drone Forensics. They released over 20 reports on the forensic analysis of drones including releasing drone images on the NIST CFReDS page. This allows examiners to have access to images from drones for creating parsers and to understand the kinds of data that is stored from drones and how it could be recovered.

DFIR Newcomer of the Year

(Treating this category as people who began sharing in 2018 – not necessarily new to the field)

Kevin Murphy — Kevin created and contributed the open source Manta Ray project which is a hash set from Virus Share so tools could incorporate those hash sets for rapid identification.

Delaney Jester — Delaney is new to the scene, but still put out a blog about her research regarding Forensics of Cortana on Android this summer.

Kevin Pagano — Kevin, although not new to forensics, started a blog in 2018 where he shared forensic information on everything from TeraCopy forensics to summaries of forensic conferences. I am really looking forward to what he has to bring in 2019—he already has done amazing in both winning two forensic CTFs (BloomCon and Magnet User Summit – in the same week!) and competing in the Sunday Funday Challenges put out by David Cowen at Hacking Exposed Computer Forensics Blog.

DFIR Resource of the Year

This Week in 4n6 by Phill Moore — Go-to website for understanding all the information the forensic community puts out each week. Additionally, it serves as a source in order to be able to find articles about topics that you know you read but don’t recall where they were. Serves as the forensic index of sorts.

DFIRTraining by Brett Shavers — This is the source of sources.  This site has been updated greatly this year to include not only Tools and Training, but variety of resources from books, to artifacts, to education. It is the resource of resources!

AboutDFIR by Devon Ackerman and Mary Ellen Kennel — Fantastic resource that has added amazing sections this year including the DFIR Jobs section and the Research section. Newer forensicators have been inspired by the research section to take on new projects and share.

DFIR Team of the Year

Cyber-investigation Analysis Standard Expression (CASE) Consortium
— CASE is a community that intersects academia, governments, non-profits, and commercial vendors to create a standard for expressing the output of forensic tools such that in the future data from one tool will be able to be exported, ingested, and shared using the same definition of traces. This will help the entire community as it will allow for data from multiple tools to be correlated and collated as well as allow for transference of data while maintaining its provenance.

Steve Watson and the team at VTO labs — Steve has been leading many revolutionary projects at VTO Labs. This includes information not only drone research and information which the team has put out, but also research surrounding IoT devices where he brought together the community in Data Finder events throughout the year to research together and document their findings. Additionally, VTO labs has explored how to recover data from damaged devices, including using water samples from around the world and producing techniques as to how to recover data.  The team also has researched biohazards around digital forensic evidence of unknown origins and crime scenes and the wearing of proper Personal Protective Equipment (PPE) to protect digital forensics practitioners.

Digital Forensic Investigator of the Year

Alexis Brignoni — Alexis has worked tirelessly to share information he learns from his work and to share information and tools with the community via his blog, scripts, and putting his scripts into formats for automatic ingestion by commercial tools. He has also mentored new forensic practitioners, worked with peer investigators around the world when asked to help in their investigations, and released tools and methods that are critical to examiners. He has translated content into other languages so that examiners could have access to posts not in their language. Alexis is an extraordinary examiner and person who does both cutting edge research, mentors, and finds ways to give back to the community at every opportunity.

Sarah Edwards — Sarah continues to rock putting out information about iOS and Mac forensics. She helped us all understand APFS, released APOLLO, taught examiners how to get file system acquisitions from jailbroken phones, updated the FOR518 class, and shared a whole litany of goodies about KnowledgeC with us over the month of December on her mac4n6 blog.

David Cowen — David is the epitome of the ultimate forensic teacher and mentor. He has encouraged the entire industry to do and share more with the Sunday Funday challenges. That has led to multiple examiners sharing their dives into specific artifacts and forensic analysis. In addition, he put on two CTFs for the community, plus his daily blog, and introduced the Forensic Test Kitchen above. David contributes in one of the most fantastic ways, not only does he share the knowledge he has gained but challenges the rest of the community to be better and share what they learn and test. He even shows us how to think out of the box and test to become better examiners. Thank you for making us all better as a community, Dave!

Phill Moore — Most forensic aficionados are aware Phill contributes weekly via thisweekin4n6, but what some may not know is that he doesn’t just compile and interpret the rest of the community’s findings, he also shares his own. Phill has a blog full of his research at https://thinkdfir.com/. In addition to both of his blogs, Phill also does a monthly podcast, This Month in 4n6.  Additionally, he released several scripts this year at https://github.com/randomaccess3, including one for querying Google Home devices.

Yogesh Khatri — Yogesh has released a slew of information this year on his blog https://www.swiftforensics.com/.  One of the things I really appreciate about Yogesh is that he dives deep into both Mac and Windows forensics and is incredibly knowledgeable in both sides of the house.  He posted 8 blog posts this year and multiple scripts. He is the author of the mac_apt project which is incredible. His downloads can be found here: https://www.swiftforensics.com/p/downloads.html

Brett Shavers — Brett shares a massive amount of information and perspective. He does this in a variety of ways through his own blog – https://brettshavers.com/ where he breaks down forensic life for real, as well as through dfir.training mentioned above. In addition, Brett has created a variety of downloadable courses on his website.  Brett also does several case study releases to his Patreon supporters. Brett has a knack for making forensics relatable through his wide array of experiences and explanations.

Dr. Eoghan Casey — Many know Eoghan for his book “Handbook of Digital Forensics and Investigation”; however, Eoghan has made significant contributions to our community this year. Eoghan continues to contribute through his academic publications and teaching of students. Additionally, he contributes to the community in so many other ways. He has been the leader of the Cyber Analysis Standard Expression (CASE) movement described earlier. He regularly contributes critical research to a multitude of journals. He is the editor in chief of Digital Investigation journal. He also oversees the Forensic Challenge that DFRWS puts out including the challenge last year around IoT devices. Eoghan has been critical in the DFIR Review project (although that is a 2019 submission) allowing for peer review of practitioner created blogs. In addition to these multitude of creations – he works with Cyber Sleuths Labs to bring digital forensic education to 9-12^th grade women and other underrepresented groups through digital forensic exercises and summer camps. Thank you, Eoghan, for all your contributions to enriching the community and bringing together future generation of examiners, academia, and practitioners.

Well those are my picks!  Thanks for reading.  Most importantly, if you haven’t done so yet, please head over to https://forensic4cast.com/forensic-4cast-awards/2019-awards/ and nominate any and all examiners, projects, tools, blogs, podcasts, etc. that you feel are worth recognizing. There is too much in forensics for anyone to have a grip on everything and I am eternally grateful to all of the people mentioned here for their contributions to our community.

If you have any comments or questions feel free to reach out to me at Jessica.hyde@magnetforensics.com. 

The post Who We’re Nominating for This Year’s Forensic 4:cast Awards: Part 1 appeared first on Magnet Forensics.