In this series, a few forensics experts within Magnet Forensics are sharing their suggestions for nominations in this year’s Forensic 4:cast Awards. In this second installment, Jamie McQuaid, Forensics Consultant, highlights people in the DFIR community who are making valuable contributions. You can submit your nominations (including Magnet AXIOM for DFIR Commercial Tool of the Year) here.
As many of you might have noticed, we’re taking a different approach to the Forensic 4:cast awards this year. Lee Whitfield decided he wanted to make some changes to the awards and formatting, which I think is a great way to get more community involvement and inclusion. With that in mind, a few of us at Magnet Forensics are going to each select a few categories and suggest a few of our own personal favorites that we really enjoyed throughout the year.
For myself, I picked a few categories for things that really stood out for me this past year or something that I used frequently enough that it deserved more recognition. My colleague Jessica Hyde provided some of her favourite picks here in Part 1, so if you haven’t seen those take a look. I have not seen or discussed picks with her before writing my own, so I have no idea if they will be completely the same or overlap at all. Without further ado, my picks:
DFIR Non-Commercial
Tool of the Year
For me, this one is an easy choice. I probably use Volatility more than any other open source tool in my toolbox and I’m sure there are many other examiners out there who feel the same. If analyzing memory was required in an investigation, Volatility has been my primary tool for years and has consistently found relevant data needed to solve my case. Last year, we integrated Volatility into Magnet AXIOM to enhance the memory analysis capabilities which meant I ended up using it even more than before.
DFIR Resource of the
Year
I usually read a lot of books, blogs, and other online resources in my own personal time, but that has really been limited this past year with the birth of our second child. Anyone with small children will attest that finding some quiet time to read up on file systems and system internals really takes a hit.
So Phill Moore’s This Week In 4n6 gets my nomination for the Resource of the Year, not only because it’s a great consolidated source of information in the DFIR space but even more for me this year because it has allowed me to get a high level summary of everything going on in the industry without needing to take the extra time to search and find anything that might be interesting or relevant.
DFIR Groundbreaking
Research of the Year
For this category, I had to read the description a little closer to understand if my nomination fit here. The keyword for me here is groundbreaking. What was so innovative that it changed how we conduct DFIR investigations?
With that in mind, I think it’s an easy choice to nominate Grayshift’s ability to exploit iOS devices and crack passcodes with its GrayKey tool. Apple has continued to lock down access to its devices year after year and we’ve generally had to accept it. Prior to Grayshift’s breakthrough technology and methods, we were all stuck with iTunes backups and even then, only on unlocked devices. While its technology is limited to law enforcement only and doesn’t benefit the entire DFIR community, I still think it deserves recognition for having such a huge impact to our industry in such a short period of time. In the year it has been available, I have heard many stories where it has enabled access to devices that saved lives, rescued children and helped solve some of the worst crimes that law enforcement has to deal with on a regular basis and that’s why they get my nomination.
Overall, I have a ton of other favourites (this industry makes it easy) that I will likely nominate and vote for, but these ones really stood out to me for their contributions to our industry and more directly my daily work in this industry.
You may have already read about some great picks for nominations from my colleagues at Magnet. If not, be sure to check out Part 1 of this series by Jessica Hyde and Part 2 by Jamie McQuaid. In this third installment, I will be giving my personal nods to some stand out contributors to the field. These are my personal opinions, not the official opinions of Magnet Forensics. Read on to see a few of my choices!
If you’re looking for a great reference for smartphone forensics, look no further. Practical Mobile Forensics receives my nomination because of the vast amount of useful information iOS, Android, and Windows mobile devices. From acquisitions to analysis and all the questions that arise in between, this book offers a thorough guide to help both experienced examiners or newcomers to the field tackle a case involving smartphone forensics. I have used this book for reference many times over the years when performing mobile examinations, and valuable updates were added with the release of the third edition in early 2018.
Volatility is a standout pick to me when it comes to open source forensic tools. Utilizing Volatility when conducting memory analysis is common practice in my experience, and so I feel pretty strongly in this recommendation. The wide array of plugins for Windows, Linux, and Mac platforms give examiners ample ability to conduct in-depth memory analysis for almost any investigation. I have found Volatility to be a vital analysis tool in many examinations I have worked.
DFIR Undergrad, Graduate, or Training Class of the Year
As a graduate of this program myself, I am thrilled to recommend the Digital Forensics Undergraduate Program at Bloomsburg University for nomination. The program is updated continuously and is incredibly comprehensive, covering file systems, mobile devices, Python scripting, E-Discovery, tech writing, malware forensics, and so much more. Students are trained to use the most popular and up-to-date commercial forensic tools in preparation for real world lab environments, arming graduating students with a solid knowledge base to prepare them for a career in the DFIR industry.
Bloomsburg’s Digital Forensics program is recognized
as a National Center of Academic
Excellence (CAE) in Cyber Defense Education with a focus in the area
of digital forensics by the National Security Agency and the Department of
Homeland Security. Additionally, they hold an annual digital forensics conference, BloomCON, which last year drew in over
500 attendees. BloomCON offers both students and professionals a great venue to
interface within the DFIR community, as well as informative lectures and fun
forensics challenges.
The mentions above are
just a few acknowledgements that have personally influenced my work in digital
forensics, but I am extremely appreciative of the work that everyone in the DFIR
community has done to truly make a positive impact. Thanks for reading
everyone, and don’t forget to nominate your picks for the Forensic 4:cast Awards!
We’re excited to announce our new self-service Customer Portal and knowledge base. We’ve revamped the entire portal to help you get the answers you need as quickly as possible.
Using your existing Customer Portal account, you can access product downloads, read product documentation, log support tickets, and search more than 125 how-to, solution, and reference support articles!
The new knowledge base helps Magnet Forensics better support you outside our standard hours of support (Monday – Friday from 8:30 to 5:30 Eastern Time). By typing a question, keyword, or topic in the search bar, you can discover solutions to common troubleshooting questions, learn how to use key product features, read the latest release notes, and more.
Check back soon! Over the coming months, we’ll not only continue to build out the portal with new features, but we’ll also continue to add new articles to the knowledge library. If you have suggestions for knowledge base articles, or other ideas for the portal, you can submit them to docs.feedback@magnetforensics.com.
In this series, a few forensics experts within Magnet Forensics are sharing their suggestions for nominations in this year’s Forensic 4:cast Awards. In this fourth (and final) installment, Trey Amick, Forensics Consultant, highlights people in the DFIR community who are making valuable contributions. You can submit your nominations (including Magnet AXIOM for DFIR Commercial Tool of the Year and MAGNET App Simulator for DFIR Non-Commercial Tool of the Year) here.
Since 2009, Lee Whitfield has organized, promoted, and published the annual Forensic 4:cast Awards. Lee does this as a community event with both a nomination and a voting phase. During the nomination phase, you can nominate as many tools, projects, and people as you want for each category. The rules and list of categories can be found here.
For myself, I’ve highlighted a couple of categories listed below. My colleagues shared their nominations in previous posts: Tarah Melton provided some of her favorite picks here in Part 3, while Jamie McQuaid provided his insights in part 2. Jessica Hyde kicked off our Forensic 4:cast series, naming her picks in Part 1, so if you haven’t seen those articles make sure and take a look. These are my personal opinions, not the official opinions of Magnet Forensics.
DFIR Groundbreaking
Research of the Year
As soon as I read “Groundbreaking Research” I knew who I wanted to nominate for this category: Grayshift, makers of GrayKey. For years, forensicators have been challenged when confronted with iOS investigations due to the limited access Apple allows in most circumstances. Casework revolving around iOS investigations, specifically for law enforcement, received quite a surprise last year when this new technology was announced, allowing for both file system level acquisitions and password cracking. For the first time in years, law enforcement investigators have a tool backed by amazing research that provides a new avenue for gaining access to information that can be invaluable in an investigation.
In the year since GreyKey was released, I’ve heard countless stories from my brothers and sisters in blue, where data being acquired has been the difference between closing the case, and it remaining open with little hope of being solved. Grayshift has changed many department’s iOS processing procedures over the last year, based off the research that went into allowing for a collection that far exceeds the logical / iTunes based backup that forensics professionals were left with in years past.
DFIR Blog of the Year
Since
my last nomination revolved around research on iOS security, my next pick
continues the trend with DFIR Blog of the Year, which I would like to nominate
Sarah Edwards (@iamevltwin) for! Sarah consistently provides valuable
research and tools for the DFIR community on her website, http://www.mac4n6.com. The website is
packed full of great macOS and iOS forensic blogs, while also including links
to the different presentations Sarah has given. Sarah is also the brains behind
the popular SANS Mac Forensic Analysis class, FOR518.
The
Apple Pattern of Life Lazy Output’er (APOLLO) project was released by Sarah in
early November at the Objective by the Sea Conference, with many updates coming
in the form of her blog series since. APOLLO is a collection of Python scripts,
or as they are referred to on the blog, modules, for SQL queries from various
databases found from within iOS and macOS systems. Since November of 2018, http://www.mac4n6.com has had consistent
updates to the research and modules for APOLLO, which is a fantastic resource
for the DFIR community. If you haven’t yet, make sure you bookmark Sarah’s
blog!
There has been
tremendous work done by so many researchers in the DFIR community over the last
year, and while I’ve only named a couple here, make sure to vote for as many
nominees as you can for this year’s Forensic4:Cast awards. As I mentioned earlier, you can nominate as many individuals,
projects, and software as you want!
The innovation of Magnet AXIOM 3.0 continues with the release of Magnet AXIOM 3.1—which is now available to download! Either upgrade within AXIOM, or head over to the Customer Portal to download AXIOM 3.1.
In this release, we’re excited to have developed our exclusive technology partnership with Grayshift by integrating the loading of GrayKey images directly within AXIOM. We’ve also introduced a new SQLite viewer to give you better access when reviewing SQLite databases. And we’ve brought support for 12 Chromium-based browsers on Android—leading to 90 new supported artifacts.
On top of these new features, we’ve continued to build on the great new features of AXIOM 3.0, with new Mac artifacts and further enhancements to Cloud acquisition (including Facebook Warrant Returns and public Twitter acquisitions), Timeline, and media categorization.
If you’re not already using AXIOM and want try AXIOM 3.1 for yourself, request a trial today.
Sal Aziz, a Product Marketing Manager at Magnet Forensics, shares some of the highlights of Magnet AXIOM 3.1.
This integration streamlines the process for selecting and loading GrayKey images. Once connected, you can see all images stored on the device, and pick the image components you want to process. AXIOM will look after loading the image from GrayKey to AXIOM. Plus, it will use the image hashes to validate that the files were correctly loaded. Once you’re done loading the GrayKey images, simply choose the image components for processing.
Want to learn more about using AXIOM and GrayKey together in your iOS investigations? Join us and Grayshift for a live webinar on May 21 at 10:00AM & 2:00PMET. You can register here.
New in AXIOM 3.1: SQLite Viewer
The new SQLite viewer will give you greater flexibility in reviewing evidence so you can quickly and easily find the most relevant data. The new viewer includes the ability to:
Quickly review table contents
Filter on columns
Search tables
Execute custom SQL queries
Export directly to .CSV and Excel files
The new SQLite viewer is launched when you select any .db or .sqlite file from the File System Explorer. It will allow you to stay within the context of AXIOM while enabling advanced search and review capabilities—speeding up your manual review and validation times.
Updates to Facebook Warrant Returns and Public Twitter Acquisitions
AXIOM 3.0 brought the ability to process Facebook Warrant Returns using AXIOM Cloud, as well as gathering data from public Twitter profiles. With AXIOM 3.1, we’re ensuring that you can get even more data from those sources.
Facebook Warrant Returns
Facebook Warrant Returns includes a lot of information about a suspect’s Facebook activity. This includes details on anything that they had posted to the platform. When working on Facebook Warrant Returns, we have added the ability to collect and display information on pictures and status updates posted by the user.
Twitter
If you’re looking to collect publicly available Twitter information, you now have better control over the information you want to acquire. Now you can decide to only collect:
Tweets (all public tweets authored by or retweeted by the user)
Who they’re following (account information for accounts that the user follows)
Followers (account information for accounts that follow the user)
This update can greatly improve collection times—especially for accounts that have a large number of tweets, followers, or Twitter users that the suspect is following, which may not be relevant to the investigation.
Now Supporting 12 New Chromium-Based Browsers for Android
AXIOM 3.1 introduces support for 12 new Chromium-based Android browsers and 90 new artifacts including web history, downloads, bookmarks, search details and more!
There are many different Chromium-based browsers available to users that are popular in different regions and often advertise enhanced security or privacy capabilities. Each browser stores its own data including browser history, bookmarks, search history and other important artifacts that may be crucial to an investigation. With this added support, you will have more opportunities to identify critical evidence in your cases through artifacts. Here are the browsers now supported:
As always, we’re working to continually improve the performance capabilities of AXIOM. With AXIOM 3.1, we have reduced that amount of data we store in the attachment database when carving videos from evidence files, reducing the amount of memory being used during processing, as well as the footprint of the case on disk. In a baseline 500GB case, the overall footprint on disk was reduced by 36%, from 227GB to 140GB.
Additionally, we’ve continued to refine the performance of the new Timeline view, introduced in AXIOM 3.0.
Support for Exporting Media in Project VIC JSON Version 2.0
AXIOM now supports exporting media in the Project VIC JSON version 2.0—in addition to the existing support for version 1.2 and 1.3. VICS 2.0 adds support for associating a number of additional attributes with media to support advanced investigative techniques. This will be helpful when you want to be able to leverage extended VICS data to better understand which media should be sent to Victim Identification teams for review.
We’re happy to announce from Techno Security in Myrtle Beach that Magnet AXIOM 3.2 is now available to download! Either upgrade within AXIOM, or head over to the Customer Portal to get AXIOM 3.2.
In this release, we’re bringing support for Instagram
warrant returns, the ability to search recently deleted files that are stored
in Free Queue on Mac computers, and improvements to our recently enhanced
SQLite Viewer.
If you’re not already using AXIOM and want try AXIOM 3.2 for yourself, request a trial today.
Instagram Warrant Returns
In addition to support for Facebook Warrant Returns, AXIOM can now ingest and analyze warrant returns from Instagram. This will help shed light on a person’s online persona, allowing you to see who is following the user, who the user is following, posts in addition to direct stories, and direct shares (including media and messages).
Find More Deleted Data
In addition to searching the known file system for
artifacts, AXIOM will now search recently deleted files that are stored in Free
Queue in APFS of Mac computers.
Also, when AXIOM encounters a container such as a mobile backup or archive (e.g. zip or tar files), it will now search deleted archives for additional artifacts.
You can now convert various different data types in SQLite to more human-readable data, including date/times, binary data and various types of encoded strings. For binary data, you can view common data types such as pictures and plists within AXIOM. And we’ve added “open with” functionality to give you the ability to open binary data in an app or program of your choice.
Media Categorization Enhancements
On top of the enhancements brought to media categorization in AXIOM 3.0, AXIOM 3.2 now supports setting a priority when configuring hash sets. This is useful because AXIOM will accurately assign evidence to the proper category when multiple hash sets have the same hash value and are assigned in different categories.
Summary information in PDF and HTML reports have also been added, making it easier to see how much known content was found by hash sets. It will also allow you to see the breakdown of content by category for materials graded by reviewers, making it easier to gather this information for reporting and charging purposes.
Additionally, AXIOM 3.2 now has the capability to more easily export reviewer graded content and select the specific categories that get hash data/media attachments included in the export when submitting back to Project VIC or CAID repositories.
Project VIC International and its partners are at the
forefront helping to identify and rescue children from sexual exploitation. The
VICS
standard developed by Project VIC International sets the bar for many tools
that law enforcement agencies around the world use for their child exploitation
investigations.
Magnet Forensics and
Project VIC International are proud to announce that Magnet AXIOM is now VICS
certified for use with Project VIC and CAID hash sets.
Richard Brown, Director of Project VIC International says “Magnet
Forensics has released one of the most comprehensive updates focusing on child
protection by incorporating multi-national support for Project VIC child rescue
ecosystems and combining this effort with artificial intelligence layers to
assist our Victim Identification experts rescue children from continued abuse.”
The
importance of thoroughly and efficiently organizing and sharing relevant media data
is especially apparent when working ICAC investigations. Examiners need to be
able to easily focus their analysis to provide rapid support to potential
victims. The hash sets provided by Project VIC and CAID allows for just that.
Jad Saliba, Founder & CTO of Magnet Forensics says
“Internet Crimes Against Children are some of the most horrific cases seen
by Law Enforcement today. Alongside our partners like Project VIC International
we’re constantly working to make sure that those who are undertaking this
unbelievably important work have the best tools possible to get through more
cases, faster, and with less exposure to the materials themselves.”
These hash sets allow
for the sharing of hashes of known child sexual abuse material (CSAM) resulting
in the rapid identification of illicit media on seized devices. Through the
VICS metadata shared, examiners and investigators can focus their efforts on
unknown victims or offenders to better prioritize victim identification
investigations. Over time, this allows for more victims to be rescued,
streamlines work efforts for participating agencies, and helps to limit over
exposure to illicit material.
How Magnet AXIOM Helps for Child Exploitation Investigations
Rapid Media Categorization
AXIOM’s new media categorization
features make it even easier to use Project VIC and CAID data to focus your
investigation. Examiners now have the capability to efficiently grade media in
AXIOM’s thumbnail view, leveraging keyboard shortcuts and rich previews to
quickly move through large amounts of content in a case. This saves precious
time when moving through your workflow by reducing the number of steps needing
to be taken to move data between different tools for grading, and allowing the
examiner to grade all of the media directly in AXIOM.
VICS metadata is also now shown for matched media items, during pre-categorization, to help focus victim identification efforts on unknown persons. Once categorization has been completed for a case, examiners can immediately save their results back to AXIOM’s hash database for use in future case work, and upload back to Project VIC or CAID for all other investigators to benefit from.
To read more about media
categorization, you can check out a detailed how-to document here and watch and embedded video to see it in action.
Easy Management & Sharing of Hash Sets
Following the value that the Project VIC team puts on
maintaining the quality of these datasets and providing a simple experience for
users, we are committed to continuously enhancing our support for leveraging VICS
data to assist in your forensic examinations. Much effort has been put into
making sure that adding data from Project VIC or CAID in AXIOM happens as
quickly and easily as possible.
AXIOM now supports import and export of VICS 2.0 JSON data
for use in investigations. Exporting in VICS format allows examiners to share
findings back to the various national VICS repositories (Project VIC US,
Project VIC Canada, CAID, etc.) for review,
adding more relevant data which ultimately benefits the rest of the forensic
community. AXIOM now also offers support for importing incremental hash sets to
save time when updating Project VIC or CAID data for your cases.
Magnet Forensics is excited to continue working closely with
Project VIC International and the community to take steps towards reducing the
possible intermixing of unrelated hash sets—ensuring a high degree of quality
control on the hash sets you use in your investigations.
Leveraging AI to Surface Content of Interest Quickly
Using Magnet.AI, examiners can process pictures and text-based conversations to quickly filter and sort possible CSAM content for further review by investigators. AI will quickly and accurately identify CSAM content, nudity, bedroom scenes, and much more in media, as well as flagging chat messages with sexual content in them and potential luring conversations. Found content is tagged and surfaced for review in AXIOM’s Case Dashboard, providing for time savings and a more informed starting point in your investigations.
Certification is an Important Step
Certification by Project VIC International is an important
step for Magnet Forensics to move forward in helping law enforcement agencies
worldwide rescue children from unspeakable situations and apprehend offenders.
In places like the UK where tools must be certified by
Project VIC International and have support for CAID hash sets, Magnet AXIOM is
now an option for agencies to use within their child exploitation
investigations.
Brown of Project VIC International says “Magnet Forensics’
new advancements in the child protection area is much needed. Police need to be
armed with the best tools technically possible to fight this heinous crime.
Magnet Forensics’ contributions and innovation in artificial intelligence are
just some examples of their dedication to child protection globally.”
We hope you will utilize our continued developments of Magnet
AXIOM for your investigations and, as always, your feedback is always
encouraged so that we can provide our customers with the best experience
possible. Please reach out to me at tarah.melton@magnetforensics.com
with any comments or questions.
Magnet AXIOM 3.3 is now available within AXIOM or as a
download over at the Customer
Portal.
In this release, we’re bringing more warrant returns, performance improvements, and SIM card support. If you’re not already using AXIOM and want try AXIOM 3.3 for yourself, request a trial today.
New Snapchat Warrant Returns and Facebook Warrant Return Improvements
AXIOM Cloud can now ingest and analyze warrant returns from
Snapchat to help shed light on a person’s online persona—allowing you to recover
messages, group chat details, and all media files.
AXIOM 3.3 also brings support for a new format of HTML
file-based warrant returns from Facebook in combination with an older,
previously-support format.
SIM Card Imaging and Processing
AXIOM 3.3 now allows you to recover information stored on
SIM cards, such as contacts and any SMS messages in addition to a number of artifacts,
including unique ones like Integrated Circuit Card ID (ICCID) and International
Mobile Subscriber Identity (IMSI.)
LG Lock Bypass Support
You will now be able to bypass the lock screen on certain
LG-based devices and perform an acquisition of the device without needing the
passcode.
Keep in mind that this method will not work with all LG
devices—particularly LG Nexus devices.
The same media category is automatically applied
to other media items that have the matching hashes — keeping you from duplicating
the work or being exposed to the same content again
A media categorization summary report is
available (in HTML and PDF) and will include the number of unique hashes in
each category, helping you determine how many illegal images are found in the
case
Performance Improvements
AXIOM 3.3 is optimized to perform faster with large data
sets. You should see a significant gain in performance when doing case load,
searching, filtering, and sorting.
With the latest release of Magnet AXIOM, we’ve brought a
host of new features that will help reduce the stress on examiners exposed to
disturbing materials—particularly CSEM.
Get Magnet AXIOM 3.4 within AXIOM or as a download over at
the Customer Portal today to utilize these new Officer Wellness features
as well as a number of new updates that are making Mac investigations faster
and more robust.
If you’re not already using AXIOM and want try AXIOM 3.4 for yourself, request a trial today.
Officer Wellness for ICAC Investigations
A message from Magnet Forensics Founder & CTO, Jad Saliba regarding Officer Wellness.
The effects of chronic exposure to CSEM or IIOC (illicit
images of children) can be immense for those who are performing ICAC
investigations—including depression, feelings of worthlessness and thoughts of
death/suicide.
With this in mind, we’ve included new features in AXIOM that
can reduce overexposure to CSEM with the goal to promote improve officer
wellness.These features are configurable and optional, allowing examiners
to work the way that they want:
Blur or block media thumbnails
Mute audio on videos
Set timer reminders to take breaks or alerts to stop grading
View grading progress and set goals for amount of media graded
Trey Amick, Forensic Consultant, walks through some of those features and how they can be beneficial to those who are performing ICAC investigations.
It has become commonplace for forces to include SOPs for officer wellness, specifically for those officers supporting ICAC investigations who are directly exposed to illicit material, particularly during grading. Encouraging officer wellness directly within AXIOM simplifies the implementation of SOPs and reduces burden on ICAC investigators.
To learn more about how we’re addressing the challenges of ICAC investigations, sign up for our webinar on August 1. If you can’t make it to the live presentation, register anyway and we’ll send along a link to the recording afterwards.
Continued Mac Support
Our support of macOS and APFS continues to develop since the release of AXIOM 3.0—we’re excited to share that we’ve significantly reduced the time it takes to scan Mac images. We’ve seen up to 4x improvements in speed—in one example, a scan that once took 4 ½ hours now takes just 52 minutes!
Display Spotlight Metadata from macOS
Files on macOS can contain a number of additional attributes
associate with each file on the file system—typically referred to as extended
attributes. AXIOM 3.4 surfaces this metadata in a new card in the details pane,
providing a view of common attributes of interest in the Artifact Explorer, and
a full listing of attributes in the File System explorer.
Carve Unallocated Space for Artifacts on APFS
Following on our support for carving the macOS free queue
for artifacts in AXIOM 3.2, AXIOM 3.4 now adds support for carving unallocated
space on APFS. This is typically limited to files that have been deleted and
their associated blocks released back to the filesystem since the last password
change.
Enhanced Snapchat Support for iOS and Android
We’ve brought enhanced support to Snapchat, one of the
world’s most popular apps. On the Android version, you can now recover chat
messages, contact, groups, account information, as well as media from Snapchat
Memories including the ‘My Eyes Only’ feature of the product. On iOS, you can
recover information from SnapChat MyStory, along with support for saved
messages.
MTK Backup Acquisition and Processing
MediaTek (MTK)-based devices offer users the ability to
backup user data to a SD card, even on locked devices. AXIOM now supports acquiring and processing
these backups and includes a guided workflow that will walk examiners through
the process of generating the backup on the device and processing the data
within AXIOM.
Examiners with a locked cell phone with a MediaTek chipset
can attempt to use this method to gain access to the device information,
without requiring the device passcode.
One of the improvements made in the recent 3.4 release of Magnet AXIOM includes significant enhancements to APFS processing times allowing investigators to get access to their data as quickly as possible. Since AXIOM 3.0 was released earlier this Spring, we’ve continued expanding our macOS artifacts, which now also includes Free Queue carving, search capabilities of unallocated space, as well as the parsing of Spotlight metadata of files located on the system.
Get Magnet AXIOM 3.4 within AXIOM or as a download from our Customer Portal today to utilize the new Mac performance enhancements as well as new Officer Wellness features. Watch this video to learn more on the Officer Wellness features found in AXIOM 3.4 or watch our recent webinar: Addressing The Challenges of ICAC Investigations.
Mac Performance Enhancements
Before we get to the results of the testing, let’s first review the parameters of the test.
For these trials, we’ve run AXIOM before and after the 3.4 release on the same MacBook Air Image on two different machines. The MacBook Air housed an APFS formatted 256GB drive, and Recon Imager Pro was used to create the .E01 measuring 69GB in size.
The image contains four APFS volumes listed below:
Volume 1: MacHD: 104.69GB
Volume 2: Preboot: 43.61MB
Volume 3: Recovery: 498.51MB
Volume 4: VM: 2GB
It’s also worth noting for APFS investigations, examiners will typically see four volumes with Preboot, Recovery, and VM. The “MacHD” in this case was renamed from “MacintoshHD”. If investigators see additional APFS volumes present, it’s recommended they be imaged and reviewed as part of the investigation due to the ease in which a user can create additional APFS volumes using the macOS’s built in Disk Utility application.
The hardware used for testing the new enhancements included both an i9 processor powered machine as well as an i7 machine (specs below).
Dell XPS 15
2018 MacBook Pro
i9-8950HK CPU @ 2.90GHz 6 Cores / 12 Logical Processors 32GB RAM Windows 10 Pro
Both machines were connected via USB C & USB 3.1 to 2 external 1TB SSD’s (Samsung T5’s), one drive used for case files, the other for forensic images
Each Case file created for these tests were approximately 23.6GB
The Results
Utilizing the boot-camped MacBook Pro (i7) and AXIOM 3.2.1, we initiated our first test processing only the MacHD volume, with all artifacts selected, as well as MD5 hashing turned on. Once complete, we had over 970,000 artifacts to review, but processing of the one APFS volume took 23 hours, 38 minutes, and 29 seconds. Our second test with the i7 powered MacBook Pro and the newly released AXIOM 3.4 took only 8 hours, 49 minutes, 15 seconds, resulting in a 62.69% decrease in processing time!
As seen below, the CPU was being used to its full potential while AXIOM 3.2.1 was processing the image file.
The next contender, an i9 powered Dell XPS15 coupled with AXIOM 3.3.1 completed processing of all four volumes listed above with all artifacts turned on, and MD5 hashing selected in 12 hours, 14 minutes, and 18 seconds. After a quick AXIOM update to 3.4 the test was repeated utilizing the same standards as the rest of the trials, with processing time cut to 5 hours, 24 minutes, and 28 seconds. The Dell XPS processing time was reduced by a staggering 55.81% after updating to AXIOM 3.4.
Evidence of how hard our developers have been working to improve performance for our customers can be seen below with a staggering decrease of processing time ranging from 55% to 62% between the two test machines. Also, keep in mind the AXIOM 3.4 builds included additional processing with the addition of the Spotlight metadata being parsed as well as searching across unallocated space on the volumes. In an upcoming blog, we’ll explore what information can be gleaned from both Extended Attributes and Spotlight metadata found on macOS systems.
If you have any questions, or have suggestions on new macOS artifacts that you’d like to see added to AXIOM, contact trey.amick@magnetforensics.com.
We’re honored to again be recognized by the Digital Forensics Community in this year’s Forensic 4:cast Awards — this year in the newly created DFIR Commercial Tool of the Year and DFIR Team of the Year categories!
Of course, we want to not only thank every single person who took a moment to nominate and vote for Magnet Forensics, but we want to thank Lee Whitfield for taking the time to put these important awards together year after year. His efforts are greatly appreciated and we’re glad to be able to share these honors with several other amazing contributors within the community!
The Magnet Forensics team accepts the award from Lee Whitfield at the SANS DFIR Summit.
Announced at the SANS DFIR Summit in Austin, Texas, the awards recognize those in the DFIR community who are making a huge difference within the field. Our founder and CTO, Jad Saliba, shared his reaction: “What an amazing honor! Huge thanks to everyone who voted for us and has supported us over the years – you are the people that do the extremely important work and we are honored to support you with our team and tools. A huge thank-you to our team at Magnet as well! Truly a world class group of people that I am so proud and grateful to work with. Thanks for everything you do everyday to support our customers and for coming up with innovative new features like our recent #OfficerWellness features – doing the right things for the right reasons. Looking forward to doing more great things together! ”
Adam Belsher, our CEO, added: “Thank you to all our customers for the honor of serving you. Your passion and important work keeps us motivated and committed to working alongside you in supporting your mission. I have never worked with such an inspiring group of individuals than at Magnet Forensics and I’m proud to be on this journey will all of you! ”
If you want to catch up on our nomination series, you can find who are Forensic Examiners highlighted here: Part 1, Part 2, Part 3, Part 4. Want to know more about our previous wins in the Organization of the Year and Computer Forensic Tool of the Year categories? Read our previous post here.
With the release of Magnet AXIOM 3.5, we’ve focused on features that improve the quality of life for our users. In this Q&A, we talk to Filip Jadczak, a UX Designer at Magnet Forensics about his approach to usability, new features, and more!
Magnet Forensics: Tell us what you do here at Magnet Forensics.
Filip Jadczak: I’m a User Experience (UX) Designer here at Magnet Forensics. That means I design the new features that go into each new release of AXIOM and determine how we display information to our users in the interface. I also maintain contact with our customers to understand what challenges they face, so we can constantly improve their experience with AXIOM.
MF: Why are you passionate about usability/user experience?
FJ: Every day, we are seeing how digital technologies are being integrated into every industry – and with that comes a variety of tools and apps, each with their own interface. Usability in these interfaces is critical to ensuring that people are able to carry out the tasks they need in a quick, effective manner. I got into the field of UX to help advocate for better usability and design in the tools we use, and to make sure that when we build software, we always consider the human element first (i.e. the people on the other side of the screen).
My approach while designing for the digital forensics industry is to help examiners get to the information they need as quickly as possible. AXIOM needs to help our users find the right evidence they need in a seamless way, so they can focus on doing their best work and spend their time on the things that matter.
MF: How would you describe Magnet Forensics’ approach to usability?
FJ: The UX team at Magnet Forensics strives to design our products in a way that balances the power of data analysis with ease of use. Especially in a field like digital forensics, there can be huge amounts of data to review, and we aim to present that data in a way that is easily consumable and recognizable. Likewise, with the functionality of our products, we aim to provide the flexibility that our users need while keeping things easy to understand and follow, even for those who are new to the tool.
We regularly conduct research to better understand where things are going in digital forensics and we seek out our customers to hear their feedback – both good and bad. This feeds back into our design process, so we know what is working well and what areas we need to focus on next to streamline and improve.
MF: We’re currently introducing what we call, “quality of life improvements” in Magnet AXIOM — a series of user experience updates that will improve the overall AXIOM experience. Why are these changes important and how will they help users?
FJ: AXIOM has come a long way in the past few years, and we are continuing to grow its capabilities as a forensics tool. However, while we do that, it’s important to keep in mind the existing workflows and features and make sure we keep those running as smoothly as possible. The “quality of life” improvements are a set of requests we’ve gathered with regards to how we can smooth out some of the features that have already been in AXIOM for a while. What this means is that you can expect to see some smaller tweaks here and there to improve your day-to-day workflow.
Since AXIOM has new releases on a monthly basis, we are continuously sending out these improvements as we work on them. As such, we can make sure that our customers are getting a better experience every time they update.
MF:Are there any particular improvements that you’re especially excited to introduce?
FJ: One set of improvements I’m excited to see launch in AXIOM 3.5 is the advanced search and filtering capabilities. We now allow you to conduct Boolean searches, exact match searches, and more, to help you narrow down your keyword searches to exactly the results you need. This includes letting you include or exclude results based on the criteria you specify. These search capabilities have long been requested by our customers and we’re happy to be adding these into AXIOM as the next step in helping you get through your investigations faster.
MF: What kinds of things can we expect in the future for AXIOM when it comes to QOL or UX updates?
FJ: Within future releases, you can expect to see further advanced filtering options like what I’ve mentioned above with the global keyword search. We are also actively looking into ways that we can streamline the full end-to-end workflow of using AXIOM, from processing through examination and reporting.
MF: Is there one feature within AXIOM that you feel like more users should be taking advantage of?
FJ: The relative date and time filter can be a powerful way to narrow down the results you’re looking at, if you know you need to find user activity or artifacts with timestamps from before or after a specific event. From the “Date and time” filter, you can select “Relative date/time” and specify a range to search for before and after a specific point in time (whether minutes, hours, days, or longer). Hint: if you are looking at a specific artifact, you can select the clock icon next to one of the timestamps in the Details card to set your filter around that timestamp! In conjunction with our Timeline view, this makes a great way to investigate what someone may have been doing around a loose time range, when you have a starting point but need to do a bit more digging.
Get Magnet AXIOM 3.5 now—either within AXIOM or as a download over at the Customer Portal. In this release, we’ve added Apple warrant returns, new image categories in Magnet.AI, as well as some quality of life improvements to make AXIOM even faster and easier to use.
AXIOM Cloud can now ingest and analyze warrant returns from Apple that will often include useful information even if the physical device is not recovered.
AXIOM now provides full decryption of any iOS device backups that are included within warrant return package as well as processing synced media, and iCloud drive contents.
NEW IMAGE CATEGORIES FOR MAGNET.AI
Magnet.AI, a feature built into AXIOM at no additional charge, significantly speeds up your investigations by using artificial intelligence to identify pictures of interest as well as luring or grooming chats. With 3.5 AXIOM can now recognize hate symbols, license plates on vehicles, and pictures that have faces in them.
QUALITY OF LIFE IMPROVEMENTS
At Magnet we’re constantly striving to make AXIOM more powerful and easier to use. In 3.5 we’ve introduced a frequently customer-requested feature that we hope will make examinations easier and faster.
The Advanced Search functionality will now easily allow you to create granular searches using Boolean operators like AND & OR, Match Case, Whole Word Only, and with the ability to stack these searches so you can find exactly what it is that you’re looking for quickly.
Over the next several releases of AXIOM we’re going to be focusing more on quality of life or user experience improvements. Check out this Q&A blog with the UX Designer of AXIOM, Filip Jadczak, to learn more about the new features in AXIOM 3.5 and what we have in store for the future.
This summer, I had an unbelievable opportunity to give back in DFIR via the Women in Forensics Camp at Notre Dame. The camp, sponsored by PWC and put together by members of the St. Joseph County Cyber Crimes Unit, was designed to introduce high school age women to digital forensics. What is incredible about St. Joseph County Cyber Crime Unit is that many of the sworn members of the force are interns from Notre Dame. The program is the brainchild of Mitch Kajzer, who is both the Cyber Crimes Director for the Office of the Prosecuting Attorney for St. Joseph County and a professor at Notre Dame teaching digital forensics. More information can about the program at St. Joseph County can be found here.
Jessica Hyde and Mitch Kajzer
Mitch additionally decided this year to start the Women in Forensics Camp. This camp was an amazing experience. Mitch invited Heather Mahalik, Sarah Edwards, and me to come help teach the students in the camp. In addition to getting to spend time with some of my favorite fellow forensic femmes, we were able to assist four of the Notre Dame students and St. Joseph County Cyber Crime Unit interns with the course. The interns were teaching the bulk of the course while Heather did a section on mobile forensics, Sarah a section on APOLLO and iOS/mac forensics, and I did a section on Windows and Internet of Things forensics.
The high school students were well engaged, and I was beyond impressed by the lessons delivered by the interns. I thought it would be a great opportunity to ask them some questions about both the program at St. Joseph’s County Crime Lab and the Women in Forensics Camp. Below is an interview with Laura Hernandez, Briana Drummond, and Julia Gately about the programs.
From Left to Right – Jessica Hyde, Sarah Edwards, Julie Gately, Brianna Drummond, Heather Mahalik, Lexie VanDenHeuvel, and Laura Herndandez
Jessica Hyde (JH):Ladies, I just wanted to take a moment to say thank you again for the amazing experience at the Women in Forensics Camp that you all put on at Notre Dame. I was extremely impressed by your forensic knowledge, your willingness to give back to the high school students, your delivery during the instruction you provided, your professionalism, and the quality of the content you delivered. Thank you also for taking the time to answer some questions in retrospect about yourselves, the internship program at St. Joseph’s County Crime Lab, and the camp itself.
Okay, to get started, can you each please tell me about the kind of work you do as an intern at the St. Joseph’s County Crime Lab?
Laura
Hernandez (LH): As of right now, the St. Joseph County Cyber Crimes Unit is
actually the only unit in the world that swears in college students and grants
them full law enforcement powers. As investigators, we’re sent digital evidence
from cases all over the county, and we extract, process, and analyze the
information from that evidence to help detectives in their investigations.
Coming into this internship, I was convinced that the interns would only do
paperwork and basic tasks; instead, we’re the primary investigators on the
cases we’re given, and we’re a part of the entire process of an investigation,
from writing search warrants to writing reports at the end of an investigation.
I love every part of the process, and I am so lucky to be working in this unit!
Briana
Drummond (BD): As an intern for the St. Joseph County Cyber Crimes Unit, we
extract, process, and analyze various electronic devices such as iPhones,
Androids, SD Cards, laptops, etc. given to us as evidence by both local and
federal law enforcement agencies. The work we do is very hands-on. From the
second we get a case, we, the interns, are the ones logging it and establishing
a line of communication with the Detective or Investigator who gave us the
case. We write up our own case reports and discuss with the officer the
evidence we found (or did not find)!
Julia
Gately (JG): As an intern in Cyber
Crimes, I do the work of a Digital Forensics Investigator. The majority of my
time is spent doing cases for police departments/metro units within St. Joseph
County. When I work on a case, the detective will bring me the item(s) of evidence,
and I will then extract, process, and analyze it (if requested) accordingly.
I’ve worked with a variety of devices, such as mobile phones (iOS and
Androids), USB drives, SD cards, and cloud accounts. After I’ve finished going
through the evidence, I’ll write up a report and give it to the detective, as
well as a portable case and HTML report of the work that I’ve done. I’ll
usually go through the case with the detective as well and share my findings.
When I’m not working on cases, I’m doing research. All of the interns have
different research assignments that we work on during our down time. Lexie
VanDenHeuvel and I are partners on our current research project, which studies
the data on wearable devices that results from sexual assault. At the moment,
we are trying to locate data that we can use to try and establish a baseline
for what sexual assault may look like on a wearable device.
JH:Wow! What are you most excited about getting to do in the field?
BD: One thing I am very excited about is the fact that we get
to see the case as it progresses from its first submission all the way through
until the officer picks it up. Mitch, our Cyber Crimes Director, has allowed us
to do so much for the Unit, and I am so grateful for that. Not only do I
understand how to analyze the data we have extracted, but I know how important
the completion of each step of the whole process is.
LH: I’m really excited to see the results of
the cases I have been working on. Especially with those few that end up going
to trial, it just makes it incredibly clear that our work does have an impact.
Not only do I get to gain valuable experience in the field, but I also get to
contribute an effort that has concrete effects on people’s lives. I still
haven’t gotten over that amazement.
JG: I’m most excited about continuing to learn about different ways of collecting data. Working in the unit has taught me so much in terms of what law enforcement can extract, but I’m interested to see the corporate side of forensics. It’s an ever-expanding field, so I hope that wherever I end up post-grad I get the chance to see more software.
JH:Are there any particular challenges you’ve faced so far that have been particularly difficult? If so, how did you work through them?
LH: The
sheer volume of information that is available on the subject of digital
forensics is terrifying in itself, and it can only grow as technology keeps
developing. I came into this internship with a computer programming background,
but only a basic understanding of digital forensics. It’s a lot of hands-on
learning, and each case forces me to learn something new and leaves me with
even more questions. Especially at the beginning of my time in the unit, I
would have been completely overwhelmed if not for Mitch Kajzer, the director of
the Cyber Crimes Unit. He has a lifetime of experience and helps us address
problems that we haven’t seen before, and he always encourages us to take on
research projects and learn more about any subject that interests us. The
upside of how much I don’t know is that it’s hard to get bored, because there’s
always a new extraction technique, operating system update, or forensics
software to learn about.
BD: One challenge I have is feeling as though I do not
know the technological aspect of digital forensics entirely. I work
through this by asking our amazing director several questions, but I also lean
on the other investigators that I work alongside. One very unique feature of
this field is that technology is ever changing, and we may never fully
understand every aspect of it! It is an awesome field that pushes you to learn
and ask your peers for help. While this is something I am not used
to, I think this is an awesome challenge for me and will be valuable
for any future professional experience.
JG: The biggest challenge for me has been learning to preserve as much
of the evidence as possible. As technology continues to develop, the
methods for collecting evidence develop along with it, and it can be difficult
when a method will save evidence one day and destroy it the next. The way I
worked through this was just doing my best to be constantly updated. The best
source of information that I have is my boss, Mitch Kajzer, because his
never-ending drive to learn more about technology keeps him very aware on
what’s safe to do. I’ve also started reading a fair amount of tech news,
because with every update or new phone there come new challenges. There’s no
surefire way to combat constantly updating technology, but as long as we stay
prepared in the unit, we can provide the best service to law enforcement.
JH:Turning to the Women in Forensics Camp, what were your goals for the camp and what did you do to prepare for the camp ahead of time?
JG:
This camp holds a special place in my heart, especially since it actually
stemmed from a conversation I had with Lexie VanDenHeuvel, another intern, at
the beginning of my sophomore year. We were discussing how we wish we had known
about the field earlier, like in high school, and Mitch asked if we wanted to
make a camp. It just took off from there. When we started brainstorming the
camp, we just wanted to raise awareness about digital forensics to high
potential young women. But as we continued planning, it turned into more than
that. We wanted to give the girls not only a chance to experience forensics,
but to understand the kinds of opportunities the field can bring them. So many
young women are discouraged from pursuing a career in STEM, so it was really
important for all of us that they feel comfortable and confident going into the
field, if they choose to do so. In terms of preparing for the camp, we spent a
lot of time making arrangements for amazing speakers, as well as making sure
that we had enough activities to keep the girls interested. We also wanted to
ensure that we moved at the right pace, so that no one felt as though the camp
was outside of their understanding.
LH: My
goals for the camp were just to show these girls all the opportunities that I
didn’t know existed when I was their age. I was lucky enough to stumble on
digital forensics through an email announcement for the Cyber Crimes Unit
internship, but there is so much more I could have done in high school and
college to learn more about digital forensics if I had known about it. I came
into this week just wanting to show them how much I love the work I do and
teach them a little bit of the digital forensics knowledge that I’ve gotten to
learn.
BD: I know that Lexie and Julia were the original
brains behind the camp, and they met with several individuals in
preparation for it. I helped with packaging the swag bags, loading files onto
the computers, and ensuring that the test iPhones were charged and ready to go.
When I found out about the camp, one goal I had was to make sure that the
students felt comfortable asking for help. I also wanted the students to gain
exposure to a potential future career field. While I do not know how many of
them will go into digital forensics in the future, I was glad that they would
have tangible experience for one option for their future. Going into college,
we pick our majors and are expected to have an idea of what we want to do for
the rest of our lives. I find this extremely difficult as many of us have only
worked as nannies, at restaurants or ice cream shops, etc., so I was excited
that these girls would get to experience a career field before entering college
or the next phase of their life.
JH:What did you enjoy most about the camp?
BD: I really enjoyed getting to know the girls and answering
any questions they had. I think it is such a blessing to have people in your
life that are a few years older and have had even just a little bit more
experience in life that you feel totally comfortable coming to with any and all
questions you have. We gave the girls our contact information, and I hope that
they will reach out about college admissions questions or just to chat about
life in general.
LH: One of the most surprising and rewarding parts of the camp was that not only did I get to teach and try to inspire the high school girls who attended, but I was also taught and inspired in turn by our amazing guest speakers. You, Heather Mahalik, and Sarah Edwards were so warm and welcoming from day one, offering to revise our research, introduce us to other leaders in the field, and support us in any way you could. It was the same knowledge and encouragement I was hoping to give to our campers, and I ended up receiving it tenfold.
JG: The
best part of the camp for me was actually being able to interact with the girls
and hear about what they wanted to do going forward. It was great to hear how
some of them were already determined to enter the forensic field, and how
others definitely had a new interest in the field after seeing what it offered.
Answering questions about what we do at the unit and college made me really
grateful for all of the mentors that I’m lucky enough to have, and I hope that
these girls take their experiences at the camp and use them going forward. I’m
also so grateful to all of those who traveled to come and speak at the camp, as
without them it wouldn’t have been possible.
JH:Thank you so much taking the time to share your responses! It was such a pleasure to get to participate in the camp and not only give back to the students, but to be inspired by you and the next generation.
BH: Thank you so much for giving us amazing advice and for
being an amazing role model to look up to in a potential career field.
Thank you so much to the Women in Forensics Camp for
allowing us to have a part in this fantastic initiative. Thank you Mitch Kajzer
for being a mentor to not only these students, but to me as well.
Over the last few months, we hope that you’ve had the opportunity to check out our AXIOM at Work video series, and that they have been beneficial to demonstrate the enhanced features in Magnet AXIOM to make your examinations easier and more thorough. Now, Magnet Forensics is taking AXIOM at Work on the road to bring that conversation to you! We will be visiting multiple cities across the U.S., bringing personalized technical discussions right to your front door.
The event schedule currently includes the following cities:
The AXIOM at Work events will provide in-depth lectures on various challenges the digital forensics community faces today. Hear about:
How to answer the questions you might encounter in a macOS investigation
Capturing the evidence that could be hidden in the Cloud
How our Volatility integration can assist in your memory analysis
And more!
Through informative talks and live demos, we’ll take you through these case examples and more, demonstrating how AXIOM can be integrated into your current forensic workflow.
Our AXIOM at Work events will also show you how to solve additional struggles you may face in your lab. Need a better way to manage your digital evidence? Want to reduce your backlog and take better advantage of processing downtime? We will demonstrate other tools in the Magnet Forensics portfolio, such as Magnet ATLAS and Magnet AUTOMATE, to provide you an overview of the entire investigative workflow.
Here at Magnet Forensics we’ve always been a big believer in
the “toolbox” approach to investigations. While many of our customers use
Magnet AXIOM as their primary investigative tool for mobile, computer and cloud
investigations, when lives are at stake, and justice hangs in the balance, we
know it’s important to verify your results. Different tools have different
strengths, and when it comes to convicting or exonerating a suspect, you want
to make sure every strength is given its due. Often, using a secondary tool
will even help you get through certain parts of the investigation more
efficiently, while still maintaining the accuracy that’s so crucial for the
whole process.
When it comes to mobile investigations, you probably have Cellebrite’s
UFED as one of those tools in your toolbox. We know it may even be the only one
that you have. UFED performs extractions from various mobile devices and it’s
likely convenient for you to continue performing your initial examinations with
it. However, you could be missing essential data if you don’t verify your
evidence with more than one tool.
AXIOM was designed to not only ingest
images from various tools (including UFED) but to be the clearest and most
robust analysis tool available. So, after you’ve done your acquisition and
first pass of the data with UFED, AXIOM can be an extremely powerful solution
for analyzing the evidence.
Here are five reasons why we think you should
use AXIOM to verify what you’ve done with UFED:
1. AXIOM Finds Important Additional Evidence
Magnet Forensics pioneered the artifacts-first approach; no other tool recovers and surfaces more relevant artifacts than AXIOM does.
This is especially true of evidence that is abundant on mobile devices: artifacts like photos, chats, social media artifacts, geolocation data, and browser activity. And because mobile analysis is all about the artifacts, it’s important to make sure you’re seeing the ones that might matter to your investigation first—something AXIOM does for you every time.
In fact, based on internal testing that we’ve done, we’ve found that AXIOM finds up to 25% more evidence than other tools available. That’s significant! Especially if AXIOM can find that one photo or that one chat that leads to a breakthrough in your investigation.
After running Cellebrite, I always followup with AXIOM if the case involves social media or internet artifacts. I find AXIOM will always get more data from these sources.
Steve Ware, Computer Forensic Investigator, City of Redding
2. AXIOM Analyzes Evidence from Mobile Devices, Computers, and the Cloud
While UFED is commonly used for mobile investigations, AXIOM is a complete digital forensics platform that can process and analyze evidence from multiple evidentiary sources, including computers, mobile devices, and cloud services. Investigations are rarely just about a person’s computer, or their phone… it’s about that person’s activity and behavior. And that activity and behavior has a digital footprint that spans all of their devices: their phone, their computer, and their social media and other cloud-based accounts.
The fact of the matter is that crime is often not restricted to one device or source of data. As our lives become increasingly digitally enhanced, so too is our digital footprint. AXIOM can ingest and analyze evidence from all of those sources in one case file which gives you a wholistic view of the person’s activity and how it relates to the case. Whether it’s child exploitation or corporate intrusions, you can’t solely rely on a solution that focuses on one evidence source.
3. Quickly Get Insight into Your Investigations
We know speed is of the essence for you during an investigation. Whether you need evidence immediately so you can use it during an interview or whether it’s to help you move through your workload faster. AXIOM has many different features to help you save time in your investigations by providing immediate and actionable insight into your evidence.
Visualize a Timeline Across All Timestamped Data
Many additional timestamps, other than those reported by the
file system, can be found within AXIOM’s artifacts. The Timeline feature in Magnet
AXIOM will show you all artifact timestamps, including chat records, EXIF data,
and web activity, alongside the file system timestamps in a single view so can
quickly and easily sort, filter and zero in on what you’re looking for. Watch
this video to learn more:
Easily Understand Evidence Attribution with Connections
Connections
allows you to more easily understand attribution of a file or artifact by
visualizing connections between artifacts and files in your case. You’ll be
able to quickly understand how a file, like a picture for example, might have
gotten on someone’s phone, where it might have gone, etc. which can be very
helpful in many investigations.
Here’s another video that shows you a more in-depth look at
Connections:
This is just the start. There are many other great reasons to use AXIOM—things like relative-time filtering, advanced filtering, and our amazing SQLite Viewer will help you find more evidence and work through it faster.
4. Locate and Analyze Data from Unsupported Mobile Apps
At Magnet Forensics, we call this supporting the unsupported. Mobile apps especially are constantly
changing all the time and new ones are being introduced at a rapid pace.
Sometimes these new apps have features like anonymous chats for example, that
can be used for nefarious purposes.
Dynamic App Finder
How are you supposed to find chat evidence from that app if
you don’t even know it exists? This is where Dynamic
App Finder (DAF) helps you find that evidence. DAF will identify SQLite
databases that may contain useful information in your case. This could
ultimately lead to you finding something of critical importance that you didn’t
even know was there.
Custom Artifacts
Custom artifacts are used to analyze artifacts that aren’t yet supported by AXIOM. They’re XML or Python scripts that have been built and uploaded by professionals in the Digital Forensics Community to help their peers with their cases.
Custom artifacts live in the Magnet Artifact
Exchange. This community-based approach to finding even more evidence is
yet another way for you to find more evidence.
Even with solid evidence of an incident or a crime, if you don’t
have the means to convey your findings in a way that is easily understood to your
stakeholders such as a judge or jury, for example, then all of your hard work may
be fruitless.
AXIOM produces easy-to-understand reports including the ability to rebuild chats into a conversation bubble-view commonly used on mobile devices which examiners and users are accustomed to.
When a non-technical judge or jury member sees the conversation bubble-view on the report, just how they see it on their phone they use every day, they can understand the interactions far better than something presented to them as a spreadsheet or regular text.
And—similarly to UFED Reader—AXIOM has a feature called Portable Case that allows you to provide a single report to non-technical stakeholders. This significantly cuts down on time and frustration of merging data from all of your different sources whether mobile, computer, or cloud.
Try AXIOM on Your UFED Extractions Today
So, the next time you’ve done an examination with UFED, think of AXIOM and give it a try. Here’s a blog we wrote a while ago that walks you through how to load a Cellebrite image into AXIOM.
And if you
don’t have AXIOM yet, sign up for a free
30-day trial and see
for yourself what kind of results you get. We think you’ll be pleasantly
surprised!
We’re excited to share a new solution, purpose-built for
organizations needing to perform remote acquisitions and collect & analyze
evidence from computers, cloud services, and mobile devices: Magnet AXIOM Cyber.
AXIOM Cyber is now available for free beta testing for AXIOM customers
and those who are new to AXIOM. Visit the Magnet AXIOM Cyber Beta
page to be the first to try the most modern solution for your cybersecurity
investigations and provide valuable feedback.
What to Expect in Magnet AXIOM Cyber
Whether it’s employee misconduct, fraud, IP theft, or incident response, AXIOM Cyber will be a powerful tool in your organization’s investigations. Building upon the capabilities of Magnet AXIOM, AXIOM Cyber will not only allow you acquire and analyze evidence from computer, cloud, and mobile sources, but will also allow you to:
Get point-to-point remote acquisition — Obtain evidence from target endpoints, even if they are not connected to your corporate network.
Use an on-demand remote acquire agent — Deploy the agent (ad hoc), so you don’t need one on every single endpoint.
Acquire from cloud services — Get evidence from cloud storage services like Amazon S3, Office365, Slack, Microsoft Teams, G Suite, Box.com, and more
Automatically resume collection — Reconnect and resume collections where they left off when connectivity to the target is lost.
Additionally, AXIOM Cyber will incorporate all the features of AXIOM that help in your investigations, including:
The ability to easily produce reports for non-technical stakeholders
Examine evidence from all sources—computer, cloud, and mobile—in one
case
Quick performance of root cause analysis
Visualization of key data with features like Connections and Timeline
Acquisition of unencrypted collections of files even when the source
drive is encrypted
Ongoing updates that provide you with new features that optimize
productivity and performance
Join the AXIOM Cyber Beta Program Today!
Looking to be the first to try AXIOM Cyber? Be sure to head
over to our AXIOM
Cyber page for more information and to sign up to participate.
If you’re new to AXIOM, this can be a great opportunity to
get started — sign
up over at the Beta page today and try AXIOM Cyber for free.
We’re proud to announce Magnet SHIELD, an innovative new solution that empowers the frontline police officers and investigators in your police service to easily capture and report on digital evidence from consenting victims and witnesses in the field.
Share Magnet SHIELD with Frontline Teams
If you know who is responsible for equipment for frontline officers in your police department, please let them know about Magnet SHIELD and how it can benefit the service by forwarding this email to them or telling them to visit the Magnet SHIELD page for more information.
Magnet SHIELD will give officers and investigators the
ability to:
Quickly and easily capture chat, picture, and video evidence at the scene
Immediately produce shareable evidence reports
Preserve key digital evidence from consenting victims and witnesses
Enable victims and witnesses to select the evidence they want to share
Available as a Microsoft Surface Go Tablet or
Software-Only Solution
Magnet SHIELD is available as a turnkey solution that leverages the mobility, battery life, HD camera and familiarity of the Microsoft Surface GO tablet, or as a software-only solution available on any tablet powered by Windows 10 – including existing mobile data terminals in police cruisers. Data integrity is maintained due to trusted Windows 10 security and IT Controls.
After capturing the evidence, SHIELD automatically produces
a standardized evidence report that can be shared with Crown attorneys.
Evidence from SHIELD can easily be stored in an existing Digital Evidence
Management system or other systems like an RMS.
Magnet SHIELD is currently available to agencies in Canada, with a global availability in the near future. Visit magnetforensics.com/products/magnet-shield/ for more information.
With Magnet AXIOM 3.6, we’ve introduced some great new features, including new advanced filters, Instagram public data acquisition, and updates to the support of some Apple products. Get AXIOM 3.6 within AXIOM or as a download over at the Customer Portal today!
Within AXIOM 3.6, there are a number of new advanced filtering options, including the ability to perform advanced filtering with multiple search terms, proximity searches and include/exclude function. These will help you surface the data you need in your investigations that much quicker. For a deeper look, check out this video overview:
Instagram Public Data Acquisition
Instagram boasts more than 500 million active users every day, which makes it a hard-to-ignore source of data for investigators. Now, you will be able to collect public-facing posts using a username or a hashtag — without requiring any user credentials — potentially uncovering additional leads in the case. Collect the post information, and associated media as artifacts, all within AXIOM.
File Signature Mismatch Artifact
The file signature mismatch artifact highlights files where the extension and the signature of a file don’t match each other. These files can contain material that someone was attempting to hide from an investigation that you may want to examine more closely when looking for evidence.
For example, you may uncover an .mp3 that is actually a zip
archive and see this in the file signature mismatch artifact. From there, you’d
be able to export it in order to see if the suspect had been hiding files
inside of this archive.
Now with Support for iOS 13
With the launch of iOS 13, AXIOM 3.6 continues to support
examinations of the latest iPhone OS!
Encrypted iOS Backup Enhancements
You can now view the friendly files and paths as it appears
in the iOS backups manifest in AXIOM Examine’s File System View — giving you
the ability to look at the file as it was stored on the device rather than how
it is displayed in the backup.
iCloud Backup Recovery for Devices with 2FA
This release re-enables AXIOM Cloud’s ability to recover
this data, providing a more complete view of the evidence available in a user’s
iCloud account. At this time, this feature is only available for iOS 11 and 12
backups.
Xiaomi & Huawei Backup Support
Thanks to enhancements to the Android unlocked device
workflow, you can now retrieve additional information from Xiaomi and Huawei
devices by leveraging the on-board device backup mechanism.
If you’re interested in a new solution, purpose-built for
organizations needing to perform remote acquisitions and collect & analyze
evidence from computers, cloud services, and mobile devices, then find out more
about our just announced beta program for our newest product: Magnet
AXIOM Cyber.
We’re proud to introduce Magnet OUTRIDER — a new and easy
way for officers and investigators to check devices for digital contraband. OUTRIDER
is an intuitive preview tool that quickly scans smartphones and computers to
determine if there is illicit material present and to develop a risk profile of
the target user.
For a limited time, Magnet OUTRIDER is available as an
extended free trial. Visit www.magnetoutrider.com to take part!
An Easy-To-Use Solution for Offender Management and Use in Search Warrants
Magnet OUTRIDER was purpose-built to be used by both technical and non-technical officers. It is ideal for offender management, or execution of search warrants and users can be up and running very quickly with minimal training — a brief 30-minute online video training video is enough to get started.
For example, parole officers need to inspect a sex
offender’s devices to make sure that they are not violating the terms of their
release. OUTRIDER empowers parole officers, or any other non-technical user, to
create a more accurate risk assessment of offenders by performing an extremely
fast scan of their computers, hard drives, USB drives, as well as Android &
iOS devices, looking for objectionable material or data.
The scans are so fast in fact, that in one test case, over
one million files were scanned in 40 seconds!
From there, OUTRIDER will:
Identify known encryption, dark web, peer-to-peer, cryptocurrency, and cloud storage apps
Indicate if virtual machines or anti-forensic tools are on the device
Utilize pre-defined or customized keyword lists to flag files names
Detect encryption as well as provide a warning to ensure access to data is not lost by powering down a computer with active encryption
Obtain the external IP address of a live computer for use in cross-referencing with other intelligence systems like the Child Protection System (CPS) or ICACCOPS — allowing for quicker identification of offenders
Quickly preserve located contraband to ensure evidence is not lost
By using Magnet OUTRIDER, the demand on DFUs can be reduced by limiting the number of seized devices and prioritizing those requiring urgent full forensic analysis — decreasing the time frame between arrest and charge.
How to Use Magnet OUTRIDER
Running OUTRIDER from a USB is simple. Simply launch OUTRIDER and choose whether you want to scan all the local drives on the computer or specifically target any external drives. You can also customize your keyword list or use the default one provided. Finally, give it a case or reference number and start the scan.
The first thing OUTRIDER will do is check for encrypted disks and notify the user when this is present as it may impact the next steps for the investigation. After the encryption check, OUTRIDER will begin scanning the selected drives for files and applications matching the keywords or applications of interest. The scan will be quick (it took about a minute and half to scan a 500 GB drive and found matches for several things of interest.)
From there you can choose to review the matches that were found, export the data and/or collect the system for a more in-depth forensic analysis.
In addition to running from a USB to a target computer,
OUTRIDER can scan smartphones — the computer simply needs to be connected to the
target smartphone.
Want to Give Magnet OUTRIDER a Try?
You can take part in our extended free trial offer of Magnet OUTRIDER only until the end of 2019! If you’re in Law Enforcement and looking to try it out for yourself, visit www.magnetoutrider.com for more information.
With the release of Magnet AXIOM 3.5, we’ve focused on features that improve the quality of life for our users. In this Q&A, we talk to Filip 
