Get Magnet AXIOM 3.7 within AXIOM or as a download over at the Customer Portal today! AXIOM 3.7 provides support for Google warrant returns, KTX files, AFF4 physical images from MacQuisition, and much more!
Magnet AXIOM now supports Google warrant returns — giving
law enforcement a potential wealth of information related to the owner of the
Google account. AXIOM can be used to parse these returns and will provide
investigators with information such as:
Account Information
Browsing History
Chats
Devices
Login History
Search History
All media and documents included in the package
— including Google Drive and Google Photos
KTX File Support
KTX image files are used on iOS devices to store critical
information that could be useful in your investigations — information like
snapshots of the application state when an app has been minimized and snapshots
of web pages in Safari that remain open on tabs.
Ingest AFF4 Physical Images from MacQuisition
You can now ingest and process the AFF4 physical images acquired from MacQuisition. Starting in 2017, Mac computers have Apple’s T2 security chip providing hardware-assisted encryption for data stored on the system.
As an APFS Container on a T2 hardware-encrypted system is
acquired, MacQuisition interfaces with the chip to decrypt the protected data,
creating a decrypted physical image using the AFF4 format.
macOS Extended Attributes
Extended attributes are arbitrary metadata stored with a
file on macOS. They are separate from the attributes that are strictly
determined by the filesystem (such as modification time or file size). These
attributes contain extra information about the file that is completely
customizable.
AXIOM 3.7 lets you access the complete extended attributes
of a file and preview them within a hex and text preview card.
For example, if you’re seeking information about how a file
had arrived on the system, the attribute kMDItemWhereFroms provides examiners
this context — whether it be from a web download, or via AirDrop.
Learn more about extended attributes, spotlight metadata,
and the quarantine events database in this video from Trey Amick, Forensics
Consultant:
Update to PhotoDNA
In AXIOM 3.7, we’ve updated our PhotoDNA library and have
optimized our implementation to improve performance for those of you using
PhotoDNA technology in your ICAC investigations.
New Advanced Filters
Get to the evidence faster by using “Include” or “Exclude”
searches with multiple strings, as well as proximity searches (search for
certain text near other text.) These filters are available for Global Keyword
Search and column filters.
If you’re interested in a new solution, purpose-built for organizations needing to perform remote acquisitions and collect & analyze evidence from computers, cloud services, and mobile devices, then find out more about the beta program for our newest product: Magnet AXIOM Cyber.
A new version of Magnet AUTOMATE is now available to help examiners complete investigations faster by reducing downtime by over 90% and by processing evidence items in parallel.
Learn more about what’s in Magnet AUTOMATE 2.0, including case merging, maximizing computing resources, and integration with the fastest imaging hardware in the industry: Atola TaskForce!
Review Your Evidence Two Days Earlier
Image may be NSFW. Clik here to view.
In a sample case that included 4 500GB computers and a 32GB
mobile phone, AUTOMATE 2.0 allowed examiners to start reviewing evidence two
days faster than a traditional forensics workflow.
AUTOMATE 2.0 processed data over 2x faster due to processing evidence items in parallel. Instead of processing one piece of evidence at a time, like you would with AXIOM or any other forensic tool, AUTOMATE allows you to process all five evidence items at the same time – on five different nodes — and then merge the evidence items into one case.
Image may be NSFW. Clik here to view.
Maximizing Computing Resources
Examiners are doing their best to maximize the tools they
have, but you simply can’t be in the lab 24 hours a day. As a result, there is
a significant amount of downtime between steps in an investigation. So, for
example, if imaging finishes at 6:00PM, processing won’t start until you get
back into the lab at 9:00AM.
With AUTOMATE 2.0, there is no need for you to manually move the investigation to the next phase. Instead, AUTOMATE 2.0 allows digital evidence to move from acquisition to processing to post-processing to exporting seamlessly. And thanks to these improvements, downtime can be reduced by 94% and evidence can be reviewed two days sooner than they could with a typical forensic workflow!
Image may be NSFW. Clik here to view.
Other Benefits of Magnet AUTOMATE 2.0
Faster Imaging Speeds
AUTOMATE 2.0 integrates Atola TaskForce, the fastest imaging
hardware in the industry. You can now leverage the unmatched speed of their
TaskForce Imager with AUTOMATE to move from acquisition to processing without
requiring an intervention. Learn more about the integration in this video:
Automatically Kick-Off Post-Processing
You can now automatically build Connections and Timelines
within your orchestrated workflow. This capability allows you to jump right
into data analysis when the case is processed. Additionally, Magnet.AI has also
been integrated, enabling the detection of images that may contain CSAM,
Nudity, Weapons, Currency and more.
Fine Grain Artifact Selection
Finally, you can further increase the speed of AUTOMATE by
finetuning the artifacts that you’re looking for in your investigation. With
AUTOMATE 2.0, you can now select artifact categories (e.g., Chats) or select
the specific artifacts (e.g., WhatsApp) that you want to examine. By only
focusing on the artifacts relevant to the case, a significant amount of
processing time can be saved.
We’re also hosting a live webinar on November 20 where you’ll be able to more about what’s new in Magnet AUTOMATE 2.0 and to find out how these capabilities can help maximize workflow efficiency and eliminate downtime. Register today!
Magnet User Summit is coming back to the Sheraton Grand Nashville Downtown in Nashville on May 11-13 — join us to learn the latest trends and best practices in digital forensics and digital evidence.
Magnet User Summit 2020 is coming back to Music City! In addition to having the chance to network with your peers, we’re bringing 14 lectures and more than 20 industry speakers to MUS 2020. You’ll get a good look at the exciting trends and best practices in the digital forensics industry as a whole.
And with 15 hands-on labs, hands-on labs, you’ll have a chance to use Magnet AXIOM and Magnet AXIOM Cyber on real case files to learn how you can maximize its use in your investigations.
Register now to take advantage of our special early bird pricing. Check out www.magnetusersummit.com for more details.
Not sure what to expect at MUS2020? Check out this video:
Magnet Live Pre-Conference Training
Magnet Live Pre-Conference Training will also be at Magnet User Summit 2020! We’re offering three instructor-led, on-site courses leading up to the event. You can come early to take part in AXIOM Examinations (AX200) and get in-depth training on Magnet AXIOM, learn more about advanced computer forensics with AX250, or take AX320 to learn everything you need to know about internet and cloud investigations.
By registering for Magnet Live Pre-Conference Training, you’ll gain free entry to the Magnet User Summit 2020* and be eligible for up to 32 CPE credits! Be sure to reserve your spot today.
Speaking and Sponsorship Opportunities Available
Interested in sharing your expertise with the digital forensics community? We’re currently accepting proposals to speak at MUS 2020, so if you’re a qualified industry professional, email us at magnetusersummit@magnetforensics.com and let us know what you’d like to speak about before December 6.
We’re also offering vendors an opportunity to attend as a sponsor as part of our Solutions Showcase — visit magnetusersummit.com/sponsors if you’re interested in sponsorship opportunities at MUS 2020.
Find More Information and Register
Head over to magnetusersummit.com to get all the details you need — including pricing and location information. Keep checking back for more details around speakers and special onsite events.
This year’s Magnet User Summit is promising to be a great event not only filled with content from us at Magnet Forensics, but with knowledge from some of the industry’s top minds.
With that in mind, we’re looking for speakers to share their expertise at this year’s event. Interested in filling one of our available 50-minute slots? Any qualified industry professional is welcome to submit and all ideas are welcome, including DFIR talks that don’t necessarily tie directly back to our products. Our goal for this event is to be relevant to the industry, with general interest talks that help investigators in all areas of the field.
The deadline to submit to our CFP is December 6! If you’re interested in presenting, send an abstract and your bio/photo along to magnetusersummit@magnetforensics.com. Once the speaker line up is finalized, it will be posted
Each conference has a slightly different personality and feel. Writing a response to a CFP (Call for Papers or Call for Presentations) can be intimidating, but it is worth it to share your findings with a wide audience. It’s also a great opportunity to meet other people in the field and have discussions about a variety of topics.
Here are some ideas of what you can share:
Research you’re doing. Did you encounter a mobile device or an app you’d never seen before? Tell us about the digging you did to learn more, and what you found out. Case studies. Give us the details about some process that frustrated both you and your stakeholders, until you worked out how to streamline it and save hours of headaches. Or, tell us about that tricky device with the data you just knew was hidden somewhere, and how you got to it.
Results, results, results. What are your lab’s key performance indicators (KPIs), and how do you meet them? We want to hear about the processes, divisions of labor, and tools you use to get results back to investigators faster, improve the quality of results you provide, or track cases more easily—and the metrics you use to track your progress.
Trends in your region or area of focus, and the best practices you developed to approach them. Maybe it’s a mobile device model seen only in your region, or a new way criminals or corporate intruders are using to escape detection. What are you doing, or have you done to overcome it?
Need more specific areas to cover? Here are some topics we’d love to see touched on:
O365 investigations
Leveraging Connections in incident response investigations
Amazon Web Services, Azure and/or GPC investigations
Memory forensics
Magnet AXIOM Mobile (recommended) workflows
Magnet AXIOM Mobile exploits (in detail)
Anti-forensics
Artificial Intelligence as applied to digital forensics
Incident response
Mobile forensics
Magnet AXIOM Cyber
Mac forensic investigations workflows/case studies
Effectively separating chaff from wheat in investigations
You can’t get far on the internet these days, particularly in #DFIR
circles, without hearing about checkra1n — and for good
reason. What axi0mX introduced
to the world back in September with his unpatchable BootROM exploit known as
checkm8 (and the official beta release from the checkra1n team last month) is a
game changer.
For iOS researchers, it means a perpetual working jailbreak for current
and future versions of iOS. Indeed, nothing on this scale has ever been seen
throughout the entire history of iOS.
Magnet Forensics Products Support Acquisition from iOS Devices Jailbroken with checkra1n
Some may have been surprised by how quickly vendors were announcing
checkra1n support, including Magnet Forensics. This is because most tools
already had support for privileged (root access) acquisition of jailbroken
devices. Magnet ACQUIRE remains one
of the few options that allow you to do it for free.
Magnet Forensics products use SSH (secure shell) to retrieve files from jailbroken iOS devices. Since checkra1n enables SSH by default, there’s no need for any extra steps (e.g. Cydia or third party agent installation). There was one caveat (noted in the checkra1n FAQ) that we needed to address.
Image may be NSFW. Clik here to view.
The good news is, as of Magnet AXIOM 3.8, port 44 is something that is automatically
looked for when acquiring iDevices. (Don’t worry, Magnet ACQUIRE got the update
too.)
Still forthcoming from the folks at checkra1n is native Windows support.
It’s on their roadmap, so only a matter of time. In the meantime, you’ll still
need some form of macOS in order to run the exploit.
Forensically
Sound? Weighing the Pros and Cons
But what about digital forensic examiners? It’s certainly another
acquisition option at your disposal and does allow for a more comprehensive
acquisition in the right circumstances. But for those in law enforcement, does
it replace GrayKey or other iOS unlocking services? To answer this, we should
first cover what is meant by forensically sound and how smartphones have
evolved this definition.
Back in the day, hardware write blockers could be used on just about every
acquisition. It was possible to establish mathematical certainty that digital
evidence hadn’t changed throughout its time in custody. Of course, write
blockers just aren’t an option with smartphones. Many extraction techniques
require the device to be powered on during acquisition and the device memory
will be changing by the millisecond.
And so, the core principles of digital forensics have necessarily
adapted. Instead of “do not make any changes under any circumstances,”
we now strive to make the minimum amount of changes, using established
and proven techniques wherever possible and taking ample notes for each step we
take along the way. We describe the adherence to these ideas as being
“forensically sound” and do our best as experts to apply it from case to case.
checkra1n is being tested around the world yet currently remains closed
source and beta. The official FAQ points out that while generally believed to
be a safe procedure, no warranty is provided and backing up the device
beforehand is recommended. Beyond these warnings intended for all checkra1n
users, I’ve come up with some additional points from a forensic perspective to
consider before employing the exploit:
Running checkra1n necessitates rebooting the phone, potentially losing anything stored in-memory on the phone and landing you in BFU (Before First Unlock) state. In BFU, access to data will be limited to files that aren’t encrypted, which is an extremely limited subset of files/keychain and could impact the likelihood of success for brute forcing.
By using checkra1n, you are subjecting the device to persistent changes and risk, up to and including the device becoming inoperable.
The admissibility of evidence acquired using this technique could be called into question.
checkra1n doesn’t impact the need for trust (lockdown), or USB Restricted Mode, meaning you’ll need to be on the same WLAN as your target in order to connect to it with SSH.
Keychain extraction remains difficult. If you’re hoping to extract Wickr decryption keys for instance, you might be disappointed. Much of the publicly available info regarding keychain decryption of jailbroken devices is quite dated.
Despite these considerations, checkra1n is an exciting new development,
especially for the purposes of research or perhaps corporate investigations
where the passcode is known.
One last note, if you decide to attempt using checkra1n on an exhibit, please consider taking a logical acquisition first. Obtaining a logical is fast and certainly beats having to explain a bricked device and no data at all!
Magnet AXIOM 3.8 is now available! Update within AXIOM or download AXIOM 3.8 over at the Customer Portal today. AXIOM 3.8 provides new mobile artifact and acquisition enhancements — including AirDrop and full logical acquisition of iOS devices jailbroken using checkra1n, new Slack updates and much more.
Building on our continued Mac support, Magnet AXIOM 3.8, is bringing support for dedicated AirDrop artifacts that AXIOM can now parse out. Get a deeper look at what kind of rich data you can get from these artifacts:
We’ve also brought in more location artifacts from iOS
devices including seen Wi-Fi devices, cell towers, and parked car
locations.
If ‘Show Parked Location’ is enabled on an iOS device and
Bluetooth or Carplay is leveraged in the vehicle, the phone will track
approximately six weeks of locations frequented by the user. Wi-Fi Locations
and Cell Tower Locations also track approximately a week of seen towers or
Wi-Fi access points by the device which can also be useful in approximately tracking
where users have been within that period of time — these can be useful tools
for tracking patterns and locations over a period of time.
Additionally, AXIOM 3.8 performs full logical acquisitions
of the Pixel 2 and parses deleted files for artifacts on Android EXT4 file
systems. AXIOM will now display the metadata for deleted files from EXT file
systems of Android mobile devices, so when reviewing a suspect’s Android phone,
you can now find pictures that were recently deleted from the mobile phone that
may contain explicit material.
Acquire Evidence from checkra1n Jailbroken iOS Devices
AXIOM
3.8 builds on our previous support of checkra1n to provide the ability to
acquire from port 44 in addition to the default port 22 when acquiring from jailbroken
devices. This ensures that no additional software is
required for acquiring devices using checkra1n — a
perpetual working jailbreak for current and future versions of iOS.
When acquiring a live Slack account, you can now select which public and private channels you wish to acquire. In addition, you can now optionally choose to include attachments for your acquisition (choosing not to include attachments can improve acquisition times.)
Magnet AXIOM Cyber Updates
For those of you on the Magnet AXIOM Cyber beta, you’ll want
to update to the latest version to take advantage of these enhancements:
Slack JSONProcessing Enhancements
If you’re processing JSON packages, you will have the
ability to selectively choose to acquire attachments — which are not included
in the export package provided by Slack.
Amazon Web Services EC2 Image Acquisition
AXIOM Cyber users will also now have the ability to acquire
snapshots of AWS EC2 instances from their AWS environment, helping to automate
and simplify the acquisition of EC2 virtual machine images for investigators.
Capture Memory (RAM) from PCs
This can be done via remote acquisition and can provide
additional insight. For example, full capture can help identify how processes
are interacting with one another.
Warning Notifications for Firewalls
If a remote connection is blocked by Windows Firewall, you will now get a warning notification so you can adjust your firewall configuration to allow the remote collection.
4K Sector Support (NTFS)
AXIOM will now scan NTFS images that contain 4K sectors. As of 2020, it is no longer required for 4K drives to emulate 512 sectors. AXIOM will now be able to read these drives in natively.
Quality of Life Improvements
When AXIOM cannot process an artifact, it will time out and
then move on. Now when AXIOM 3.8 times out on processing an artifact, you will
get notified — giving you more insight on what AXIOM is doing and how it is
interacting with your data.
Additionally, AXIOM will no longer force you to choose a case type, allowing you to make your case type optional.
Case Dashboard Summary Reports
You can now generate a PDF summary report for the Media categorization and Keyword matches cards in the Case Dashboard or generate either a PDF or HTML summary report from the Create report/export dialog.
With the exponential growth of digital data in forensic examinations, it becomes vital to examiners to leverage advanced analysis techniques to minimize the time it takes to cull through the vast amounts of evidence. Having Magnet AXIOM in your toolkit can help streamline that analysis on all your casework!
We integrated a variety of features into AXIOM to help you efficiently surface the relevant data of your case, maximizing your time and allowing for more thorough end of case reporting. Best of all, these features work across all evidence sources, be it computer, mobile, cloud or memory. Regardless of if you are in law enforcement or in the corporate environment, here are some ways you can fully utilize AXIOM’s analysis capabilities.
Connections
If you haven’t tried out Connections, you might be missing out on an incredibly streamlined way to analyze your evidence. The Connections feature in AXIOM gives you a visual representation of how your artifacts are related in your case. Using the properties of each artifact, called artifact attributes, you can show relationships between an attribute of your choosing, such as a filename or hash value, to other related artifacts in your case.
Image may be NSFW. Clik here to view.
Very quickly, you can connect the dots between mobile devices, cloud sources, external storage devices, and both Mac and Windows operating systems that you might be reviewing in your case. Connections makes it very easy to identify how important files moved between evidence sources, who has accessed them, how individuals communicated, and with what applications. Utilizing Connections is a fast and efficient way to find the relevant entries in heavily populated artifacts such as the UsnJrnl, $Logfile, Windows Event Logs, SRUM data, Office 365 Audit Logs, or FSEvents. See Connections in action here:
Enhanced Timeline
Magnet AXIOM’s Enhanced Timeline view allows for an incredibly comprehensive compilation of all of the dates and timestamps parsed out in your case. This includes timestamps reported by the file system, but also because AXIOM takes the artifact first approach to processing data, any timestamps parsed from the artifacts in your case will also be included. This is incredibly important to really be able to understand the activity the occurred on your evidence, especially considering artifacts that have numerous timestamps parsed from them, such as LNK or prefetch files, chat records, or logs.
Image may be NSFW. Clik here to view.
Examiners can take advantage of our different time filters as well, to really help narrow down to the most relevant data in their case. Using the relative time filter, examiners are able to set timestamps of interest as the anchor, and decide to view a specific period of time both before and after that timestamp. While reviewing the output of your processed case in the Artifacts explorer, the relative time filter can be set which can take you directly to the Timeline view if you choose.
Image may be NSFW. Clik here to view.
Additionally, AXIOM has an absolute time filter, in which we separate the ability to filter on dates and times. This allows for granular date/time filtering to ensure you only see the times needed for your case.
Within AXIOM Examine, we’ve added the ability to perform advanced filtering of your data, including allowing for multiple search terms, proximity searches, and an include/exclude function. This will help you surface the data you need in your investigation that much quicker. As shown below, examiners can perform string searches or utilize regular expressions. Additionally, they can add more granular filter features, such as specifying whole words only or case sensitivity. This advanced filtering options can be run globally against your case, or only against a specific column that you’re interested in. See it in action here!
Image may be NSFW. Clik here to view.
Magnet.AI
Magnet.AI helps you quickly identify chats and pictures of interest in your case by using machine learning models that have been trained with real data sets. Content of interest discovered by Magnet.AI will be tagged, such as vehicles, weapons, documents, sex-related content, and more, giving examiners a convenient starting point in an investigation. Examiners have the option to choose which AI models they wish to run on their case, making sure the time spent processing is relevant to the type of case being worked. With that in mind, regardless of if you are in the Law Enforcement or Corporate environment, there is likely to be a useful Magnet.AI module for you! Check out an example here!
Image may be NSFW. Clik here to view.
Media Categorization and Officer Wellness
Although specific to our Law Enforcement customers, this feature of Magnet AXIOM is definitely worth noting. Our media categorization capability comes with increased compatibility with Project VIC/CAID hash sets. We’ve incorporated more metadata from these hash sets, such as known offender or victim, or if the file was validated by Project VIC, and they can easily be imported from either json or text format in AXIOM Process.
In AXIOM Examine, examiners can quickly filter and view items of interest based on the additional metadata tags from the Project VIC and CAID hash sets. Manual analysis of files is also now easier than ever. AXIOM allows for the categorization of newly identified files of interest either one at a time or in bulk. In addition, our Officer Wellness features allow for blurring illegal media thumbnails, automatically muting audio on videos, setting reminders to take breaks during analysis, and keeping track of grading progress, which aims to help reduce overexposure to the difficult content that investigators have to endure.
Dynamic App Finder and Custom Artifacts
Analyzing mobile devices applications on both iOS and Android platforms can prove challenging as it is impossible for commercial tools to support them all. In AXIOM, we try to alleviate some of this pain by including the Dynamic App Finder in AXIOM Process. If you choose, AXIOM will search for SQLite databases from applications that are not currently supported as a normal artifact. The Dynamic App Finder will look for databases that contain certain types of data, such as geolocational data, URLs, email addresses, etc, and allows the examiner to review this data when processing is complete. When you review the output, any recovered data that might be relevant to your case can then be added as an artifact, and can also be processed in future cases as well!
The data added to your case from the Dynamic App Finder can be configured as a Custom Artifact to run on future cases, but that isn’t the only way to add Custom Artifacts to AXIOM. Within AXIOM Process, you can easily add custom file types for AXIOM to parse as an artifact. This is a great way to ensure file types that you might see time and again in your investigations are being readily recovered for easy review, even if AXIOM does not currently support it as an artifact type.
Additionally, AXIOM allows for the import of specialized custom artifacts that can either be written by you, or downloaded for free from our customer portal! Our Artifact Exchange contains a collection of custom artifacts written by the DFIR community, for the DFIR community, in either Python or XML format, written for recovery of evidence that AXIOM does not currently support. If you come across evidence that you want to create your own custom artifact for, there are guides to walk you through the process. We encourage you to submit any of your newly written artifacts to the Artifact Exchange to share with the rest of the DFIR community!
SQLite Viewer
Whether to validate findings from a forensic tool, or to examine artifacts from an application that may not yet be supported, examiners are often forced to dig into SQLite databases regardless of the type of investigation they are working. In AXIOM Examine, we have implemented an enhanced SQLite Viewer, with features that can make that analysis easier, including the ability to hide and filter on columns, search tables, and perform custom SQL queries. You can convert and decode data stored within the database to multiple different formats, such as ASCII, hex, Unicode, Boolean values, and various date/time formats. Finally, examiners can view or save cells that contain BLOB data, such as pictures, music, or video files, and can even view cells that contain binary plists internally in AXIOM’s built-in plist viewer. Read more about our SQLite Viewer here!
Source Linking Artifacts to File System and Registry
Magnet AXIOM takes the artifact-first approach, but it is often useful to view files and parsed data in their native format. With source linking found in AXIOM Examine, you can easily click the source link from Artifact view, which will take you to the exact location of where that artifact was parsed from in the File System or Registry Explorer. This allows the examiner to perform further analysis of that location, to determine if any additional files or registry keys might be of interest to the case. In File System view, you even have the option to view the data in hex or text format, and highlight data that AXIOM will then decode for you as seen in the screen shot below, further verifying your results.
Image may be NSFW. Clik here to view.
Conversation View and Chat Bubbles
There are multiple great ways to review chat messages that AXIOM recovers in your case. In the Artifacts explorer, you can switch to conversation view, which will thread together messages parsed from the same conversation for easier review.
Image may be NSFW. Clik here to view.
The chat preview in AXIOM Examine will also show the selected chat messages in chat bubbles. This is a great way to illustrate chat data to nontechnical stakeholders, as it is a very familiar way of viewing this type of data and can therefore allow for further understanding of your reporting.
Image may be NSFW. Clik here to view.
World Map View
The Artifacts explorer lets you switch to World Map View to visualize where your digital evidence has been. Any artifacts that contain geolocational data will be plotted on the map, so you can see exactly where in the world the artifacts are reporting from and can track details of the movements of your digital evidence. This can be vital to your examination and increase the impact of reporting that you do on this data.
Image may be NSFW. Clik here to view.
Conclusion
As you can see, Magnet AXIOM comes jam packed with tons of analysis features to allow you dig deeper in all of your examinations. Try it out for yourself! If you’re not already using AXIOM, you can request a free 30-day trial today.
With the release of Magnet AXIOM 3.0 in early 2019, we added
to our world-class Windows support, by adding Mac support to Magnet AXIOM — including
support for the newest version of macOS (10.15 — Catalina) as soon as it was publicly
available. With these updates, we’re making it even more comprehensive for
computer forensics than ever before!
Here’s a quick overview of some of the features we’ve brought to AXIOM to help with Mac investigations this year. If you haven’t tried Magnet AXIOM and want to see how you can investigate Mac evidence with the complete digital investigation platform, try it free today.
Support for Decrypting FileVault2-Encrypted Drives, APFS,
macOS Artifacts and More
With AXIOM 3.0, we introduced the ability to search and recover data from Apple products running macOS. AXIOM began support decrypting FileVault2-encrypted drives, containers, and volumes, as well as support for parsing artifacts from APFS sources and traversing the File System explorer in AXIOM.
And, in keeping with our artifacts-first approach, we also added more support for over 180 relevant macOS artifacts, including support for parsing user accounts information, FSEvents, connected devices, MRUs and the KnowledgeC database.
In addition to searching the known file system for
artifacts, AXIOM searches recently deleted files that are stored in Free Queue
in APFS of Mac computers.
Display Spotlight Metadata from macOS
Files on macOS can contain a number of additional attributes associate with each file on the file system—typically referred to as extended attributes. AXIOM 3.4 surfaced this metadata in a new card in the details pane, providing a view of common attributes of interest in the Artifact Explorer, and a full listing of attributes in the File System explorer.
Carve Unallocated Space for Artifacts on APFS
Following on our support for carving the macOS free queue for artifacts in AXIOM 3.2, AXIOM 3.4 added support for carving unallocated space on APFS. This is typically limited to files that have been deleted and their associated blocks released back to the filesystem since the last password change.
Ingest AFF4 Physical Images from MacQuisition
You can ingest and process the AFF4 physical images acquired
from MacQuisition. Starting in 2017, Mac computers have Apple’s T2 security
chip providing hardware-assisted encryption for data stored on the system.
As an APFS Container on a T2 hardware-encrypted system is
acquired, MacQuisition interfaces with the chip to decrypt the protected data,
creating a decrypted physical image using the AFF4 format.
macOS Extended Attributes
Extended attributes are arbitrary metadata stored with a
file on macOS. They are separate from the attributes that are strictly
determined by the filesystem (such as modification time or file size). These
attributes contain extra information about the file that is completely
customizable.
As of AXIOM 3.7, you can access the complete extended attributes of a file and preview them within a hex and text preview card.
For example, if you’re seeking information about how a file
had arrived on the system, the attribute kMDItemWhereFroms provides examiners
this context — whether it be from a web download, or via AirDrop.
Learn more about extended attributes, spotlight metadata, and the quarantine events database in this video from Trey Amick, Forensics Consultant:
AirDrop Artifacts
And with Magnet AXIOM 3.8, we brought support for dedicated AirDrop artifacts that AXIOM can now parse out. Get a deeper look at what kind of rich data you can get from these artifacts:
Of course, we also continued to work on improving the performance within AXIOM. We were able to significantly reduce the time it takes to scan Mac images, seeing up to 4x improvements in speed—in one example, a scan that once took 4 ½ hours now takes just 52 minutes!
And if you want to see how you can use AXIOM to help in your Mac USB investigations, check out this AXIOM at Work video:
If you haven’t tried Magnet AXIOM and want to see how you can investigate Mac evidence with the complete digital investigation platform, tryit free today!
Continuing on from our 2019 in Review series, we caught up with our internal Forensics Experts to get an idea of what product innovations and trends excited them the post this year. Read their responses below and check out our other 2019 review posts where we summarize the year at Magnet Forensics and our year developing our Mac support within Magnet AXIOM.
Wow, looking back on 2019, we have put out so many new features and products. My favorite new product from Magnet Forensics this year is Magnet AUTOMATE. What I like most about AUTOMATE, is how it allows examiners to focus on the deep technical forensic work instead of pushing buttons to process evidence. AUTOMATE allows forensic labs to create custom orchestration of any forensic tools that have a CLI. This allows organizations to take advantage of hardware and software 24 hours a day, helping to reduce backlog and begin analysis sooner leading to quicker turn-around times, reduction of backlogs and to forensic examiners spending more of their times finding new artifacts and conducting detailed analysis.
What am I excited for in terms of trends? I am excited about the dramatic change to doing full Pattern of Life analysis on mobile phone data. Traditionally, mobile forensics focused on the content recovered from applications. There has been a dynamic change over the last 18 months due to both research and access. Everything from Usage Stats, Recent Tasks, and Battery Usage on Android to the wealth of artifacts being parsed from the KnowledgeC database iOS devices. The access to iOS devices thanks to both solutions like GrayKey and the checkra1n jailbreak mean we have access to these artifacts now for iOS. All of these new artifacts have lead to our ability as forensic examiners to timeline activity on mobile devices, both iOS and Android, like never before! And what this means is examiners have dramatically changed the way they look at mobile forensic analysis and now are able to understand more about the activity that occurred on a device.
One of the things I love most about working in DFIR is that there are constantly new challenges and changes. I look forward to how we address Cloud data as a community. And “cloud” data can refer to so many things! It could be environments that store in AWS, Azure, or Google Private Cloud. But it can also mean application data stored off the mobile device, cloud backups, third party app storage, IoT sensors and devices, as well as corporate suites like Microsoft 0365 and Google Suite. We can acquire this data a variety of ways – scraping, undocumented APIs, passwords, and auth tokens. But the real challenge in dealing with this data exceeds the technical as a major challenge to Cloud sourced data rests with legal authorization and modernizing our standard operating procedures to deal with these challenges.
There are a whole host of other challenges that we will continue to face — from encryption, to the Internet of Things, to increasing amounts of data, to new hardware, to ever-changing apps and operating systems. As we, as a community, continue to tackle these ideas, one of the most important things we can do is to share information with each other as we each learn new things be it about an application, a device, or a data source. Sharing our learnings with others and working together to build on things is the only way we will be able to keep up with these challenges. Over the past year there has been vast collaboration and sharing throughout our DFIR community. I am excited about our future and how we can all work together to find innovative solutions to continue moving forward.
Looking back at all the things we added to Magnet AXIOM or things we added at Magnet Forensics can be overwhelming because it’s amazing how easy it is to forget things we did only a few months ago.
I’m going to pick two things that I would say are my favorite: one AXIOM feature, and one new product. First on the list is the complete redesign of our Timeline Explorer in AXIOM. I’m a huge fan of doing timeline analysis for any investigation type and our new timeline allows us to quickly conduct that analysis and visualize the activity on a computer or phone using all available timestamps from both the artifacts and file system. The level of granularity it enables allows me to follow a user’s interactions step-by-step.
The second item I want to call out is Magnet OUTRIDER. This is still a relatively new product by us, only being released in October, but has really resonated with users. OUTRIDER’s ability to quickly identify inappropriate material on a computer or phone in seconds allows people doing regular review of computers for contraband get actionable results almost immediately. Paring that with the partnership with CRC which will allow us to identify more relevant material even faster, this is certainly something to keep an eye on early in 2020.
I think the most exciting thing happening to DFIR right now and will likely continue into the new year is the discussions going on around data being recovered from Apple devices. For the past several years, we’ve been limited to what has been available in an iTunes backup. With the availability of GrayKey extractions and most recent exploits for Checkm8/Checkra1n, analysis of Apple devices have been very helpful in many investigations. The level of artifacts you can recover when you have this level of access is amazing. KnowledgeC, Network usage, ScreenTime, FSEvents, Health DataSignificant Locations, Email, iOS Wallet, Keychain tokens/passwords, all previously unavailable without these tools and methods. I look forward to seeing what 2020 brings.
It’s hard to pick a favorite new feature in AXIOM from 2019. This year was filled with tons of exciting developments, from APFS support to our enhanced media categorization with Project VIC and CAID. But, if I could only pick just one, I’m going with our new and improved Timeline view! This to me was a total game changer, to be able to create such a comprehensive timeline of both file system AND artifact timestamps from ALL evidence loaded in your case, be it computer, mobile, cloud, or even memory! Along with the ability to utilize the relative time filter from Artifacts view, allowing the examiner to jump right to the moment of the Timeline that they are interested in, makes analysis of the events within your case incredibly effective and streamlined. The categorization of each of these events helps the examiner quickly identify the type of activity that might be of most value to their case, such as user communication or program execution.
The Timeline view also shows a useful line graph at the top for easy navigation between the timestamps of an artifact, and to provide the examiner with a visualization of when activity was occurring and any patterns of activity that might be of interest. I am absolutely blown away with the capability of the Timeline view in AXIOM. Read more about it here and then check it out for yourself!
Mike Williamson, Technical Forensic Consultant (@forensicmike1)
I’m new to the Magnet Forensics team this year, and have been struck by the amount of effort that goes in to each and every release of our products. From research and development, to testing and rollout, the team works with an impressive level of cohesion from multiple Magnet Forensics offices in different countries. Magnet Forensics is known for being a vendor who truly pays attention to customers, and I’ve realized this comes from a deeply rooted philosophy within the organization to continually improve the product in meaningful ways.
As mobile tech companies of the world tighten their grip on the security of their devices ever further, I am profoundly interested to see how the #DFIR community (which includes both vendors and users), will respond. The old adage “if humans can make it, humans can break it” will surely be tested over the next decade.
My favorite new feature in AXIOM in 2019 was most certainly the ability to use regular expressions as filters including on a per-column basis. I love this change in particular because it allows you to harness the power of an entire parsing language without taking you away from your current view. That you can stack multiple regexes on top of each other is also excellent. I love to see advanced features like this make it into the product because it provides veteran users new functionality to explore, but also for newer users to the product– as they progress as an examiner and become more knowledgeable, these hidden gems will be available to them to discover and use in their day to day examinations.
2019 was a big year for us here at Magnet Forensics. Between huge updates to Magnet AXIOM, other exciting new product releases, our first multi-day Magnet User Summit, and partnerships with Grayshift and Child Rescue Coalition, we’ve been excited to bring great solutions to our customers and to the community at large. With the year winding down, we thought we’d take a moment to look back on everything we were proud to accomplish in 2019.
Once again, thank you to every single person who submitted their nomination and vote — we’re always working to help you in your role and we hope we can count on your support again next year!
On top of that, we’ve had a great time hosting roadshows and presenting at industry conferences together and can’t wait to keep it going in 2020!
Image may be NSFW. Clik here to view.
Bringing Mac Support to Magnet AXIOM
In addition to our world-class Windows support, 2019 saw Mac
support come to Magnet AXIOM — making it even more comprehensive for computer
forensics than ever before! Throughout the year, we’ve continued to build on
that support, which includes support for both HFS+ and APFS as well as
decryption of FileVault 2 encrypted drives, volumes, and partitions — along
with macOS artifacts like FSEvents and Bash History.
Continuing Our Best-in-Class Forensic Analysis Capabilities in Magnet AXIOM
We’ve continued to expand features within AXIOM proving it is the complete digital investigation platform, that will help you efficiently surface the relevant data of your case, maximizing your time and allowing for more thorough end of case reporting. Best of all, these features work across all evidence sources, be it computer, mobile, cloud or memory!
In October, we were excited to share a new solution, purpose-built for organizations needing to perform remote acquisitions and collect & analyze evidence from computers, cloud services, and mobile devices: Magnet AXIOM Cyber. AXIOM Cyber was available as part of a beta program, and the response was overwhelming! Thanks to everyone who participated, we’ll be bringing a product shaped by your feedback to you soon. Check back for updates.
Image may be NSFW. Clik here to view.
Clearing the Way with Magnet OUTRIDER
An easy way for officers and investigators to check devices
for digital contraband, Magnet OUTRIDER is an intuitive preview tool that
quickly scans smartphones and computers to determine if there is illicit
material present and to develop a risk profile of the target user.
Every month, we’re bringing new and important features to
Magnet AXIOM in an effort to help examiners find more evidence that matters.
Here’s a quick summary of some of the features we’ve introduced this year
(click on the release to learn more):
AXIOM 3.0 – Support for Macs and new cloud sources, a powerful and intuitive new Timeline view, media categorization enhancements, DAF & Magnet.AI improvements, and more.
AXIOM 3.1– GrayKey integration, a new and improved SQLite viewer, and support for 12 Chromium-based browsers on Android.
AXIOM 3.2 – Instagram warrant returns, the ability to search recently deleted files that are stored in Free Queue on Mac computers, and more.
AXIOM 3.3 – Snapchat warrant returns, SIM card imaging and processing, LG lock bypass support.
AXIOM 3.4 – Officer wellness features, More Mac support, Snapchat, MTK backup acquisition and processing.
AXIOM 3.5 – Apple warrant returns, UX & Quality of Life improvements.
And thanks to our Training Annual Pass (TAP), students have been eligible to take as many courses as they want within a 12-month span (don’t have a TAP yet? Click here to learn more.)
Image may be NSFW. Clik here to view.
Magnet User Summit Brought Digital Forensics Experts to Nashville and The Hague
Magnet User Summit 2019 was our biggest event yet! A three-day conference designed to bring digital forensics experts together to learn the latest trends in the industry and to learn more about how to maximize the use of Magnet Forensics products in their investigations, MUS2019 was a great success — so much so that we’re bringing it back to Nashville May 11-13! Check out this highlight reel and be sure to head to www.magnetusersummit.com to save your spot for MUS2020.
Image may be NSFW. Clik here to view.
Magnet AUTOMATE Helps Labs Complete Investigations Over 2x Faster
Early in 2019, we
introduced Magnet AUTOMATE, a new solution that allows labs to complete
their investigations faster by powering a repeatable forensic workflow that
minimizes downtime and maximizes efficiency. Since its release, we’ve gotten great
feedback from the market and have enhanced AUTOMATE greatly with Magnet
AUTOMATE 2.0 — which reduces processing time by 90% and includes case
merging, maximizing computing resources, and integration with the fastest
imaging hardware in the industry: Atola TaskForce!
Image may be NSFW. Clik here to view.
Introducing Magnet SHIELD to Empower Frontline Officers
In October, we released Magnet SHIELD, an innovative new solution that empowers the frontline police officers and investigators in your police service to easily capture and report on digital evidence from consenting victims and witnesses in the field.
Magnet SHIELD will give officers and investigators the
ability to:
Quickly and easily capture chat, picture, and
video evidence at the scene
Immediately produce shareable evidence reports
Preserve key digital evidence from consenting
victims and witnesses
Enable victims and witnesses to select the
evidence they want to share
The First Winner of the Magnet Forensics Scholarship Program
After all of the nominations, the results came in: We were proud to announce the first recipient of the Magnet Forensics Scholarship Program, Eric Dalla Mura, Detective Corporal at the Burlington Police Department in Burlington, VT. Learn more about Eric in this Q&A and keep an eye out for the 2020 winner soon!
Image may be NSFW. Clik here to view.
Get Your Magnet Merchandise!
Just in time for Giving Tuesday, we unveiled our new Magnet Merchandise store, loaded with exclusive Magnet Forensics branded items and with all profits will be going to charity — we’re proud to support the International Justice Mission with the launch of our new store! And there’s still time to take advantage of our 15% discount off your first purchase. Simply visit magnetmerchandise.com and use the code MAGNET15 during checkout.
Here’s to Great Things in 2020!
As you can see, 2019 was an eventful year for us here at Magnet Forensics! And it looks like there’s no slowing down in 2020. Be sure to check back regularly at the Magnet Forensics Blog for more updates as they come.
From everyone at Magnet Forensics, thank you all for all of
your support and for the work you do. We’re truly honored to be trusted to help
you in your work and we’ll continue innovating to help you get there faster and
safer. Happy holidays!
Magnet AXIOM 3.9 is now available! Update within AXIOM or
download AXIOM 3.9 over at the Customer
Portal today. In addition to performance and quality of life improvements, AXIOM
3.9 includes updated AirDrop artifacts, rebuilt desktops for Windows, and more.
Mac Support in AXIOM Continues with More AirDrop Artifacts
With the recent releases of both AXIOM 3.8 and 3.9, we’ve
added additional Mac support to parse the unified log for entries surrounding
the use of AirDrop. You can review these AirDrop artifacts on both computer and
mobile evidence sources.
Whether your macOS/iOS case is based on intellectual
property theft from an organization and identifying how that data was exfilled,
or a criminal investigation tracking contraband on devices, AirDrop should be
investigated as a potential source of how that data was moved.
Rebuilt
Desktops is a new artifact that allows users to view an approximation of what a
given Windows user’s desktop looks like, including wallpapers, monitor
configurations, and icon positioning—without having to virtualize the image.
Many
examiners, as part of their court preparation, will virtualize images in an
effort to show non-technical stakeholders the look and feel of someone’s
Windows environment. While this is powerful when it comes to painting a clear
picture of possible intent of a suspect, virtualizing an image often requires
additional software and time. The Rebuilt Desktops artifact aims to help
provide a visual reference without the need of virtualizing the entire suspect
machine.
In AXIOM 3.9, you now have the ability to sync tags applied
to items between the filesystem and artifacts explorer. You can perform an
export for all tagged artifacts and files and include those tagged files from
the filesystem in reports. Check out this how-to video to learn more:
In addition, we’ve also updated AXIOM to automatically
attempt BitLocker ClearKey when detected.
New Artifacts
Tumblr (Android)
GroupMe (iOS/Android)
Rebuilt Desktops (Windows)
AirDrop (iOS)
McAfee Logs (Windows)
Windows Defender Logs (Windows)
Artifact Updates
Installed Applications (iOS)
Significant Locations (iOS)
Knowledge C (iOS)
Call Logs (iOS)
VK (iOS/Android)
Wickr Me (iOS)
Yahoo! Webmail (iOS)
Skype (iOS)
Tinder (iOS)
Signal (Android)
TextNow (Android)
TextFree (iOS/Android)
Snapchat (Android)
Recycle Bin (Windows)
Pictures (Windows)
Carved Videos (Windows)
Chrome Extensions (All Platforms)
DHCP Server (Windows)
Prefetch Files (Windows)
User Accounts (iOS)
Get Magnet AXIOM 3.9 Today!
If you’re already using AXIOM, download AXIOM 3.9 over at
the Customer Portal. If
you want to see how AXIOM 3.9 can help you find the evidence that matters, request
a free trial today!
Fraud in the workplace is top-of-mind for many corporate investigators. In fact when we polled our own client base in October of 2019 as to what kind of corporate investigations they are most often seeing, Fraud rose to the top of the list with 54% of respondents saying that they Always or Often are dealing with cases of Fraud.
And rightfully so, according to the Association of Certified Fraud Examiners 2018 Report to the Nations: Global Study on Occupational Fraud and Abuse, over the past 10 years fraud has doubled and will continue to rise with the advancement of technology. With more and more organizations transitioning their storage and services to the cloud, that presents yet another advancement that not all may be ready for when it comes to being able to perform effective and comprehensive examinations.
Looking at some other statistics from the ACFE’s 2018 Report, they also paint a very real picture as to how serious of a threat fraud is:
Globally workplace fraud costs organization over $7 billion per year
Organizations can lose an average of 5% of its revenue to fraud
Creation and alteration of fraudulent electronic documents are some of the most common concealment methods used by bad actors
1 in 5 organizations lose more than $1 million a year to fraud
As technology advances to victimize organizations, so too must technology advance to protect and safeguard organizations. Magnet AXIOM Cyber is a modern digital forensics platform tailored to meet the needs of today’s companies that have embraced technology including the latest in cloud computing, geographically distributed workforces with the shared network backbones, and use of IOT devices as a mission-critical part of their business.
Watch this video from our Forensic Consultant, Tarah Melton, as she walks you through how you can use Magnet AXIOM Cyber to investigate fraud.
Here are some other ways that our customers use Magnet AXIOM Cyber to investigate Fraud:
Timeline – Quickly establish a timeline to pinpoint events of fraudulent activity and use them as a starting point for your investigation
Artifacts-First Approach – AXIOM Cyber’s artifacts-first approach surfaces hidden or buried files no matter when they are saved
Reporting – Easily produce reports and share evidence with non-technical stakeholders so they can easily see the data exactly how your forensics team sees it
Deleted Files – Search both allocated and unallocated space and free queue (for Macs) by carving for deleted data or traces of data
Search – Focus on the evidence that matters by quickly finding keywords and evidence of interest with advanced searches and filtering
Incident Response is an important process within your organization that helps safeguard your IP, client and employee records, and ultimately the livelihood of your employees. Many companies today, large or small, are facing cyber attacks constantly.
Unfortunately it’s not necessarily a question of if a data breach will occur, but more appropriately: when.
A critical step of the IR process is the Analysis stage. This stage is key to understanding exactly what happened and how so that your learnings can be used to harden your processes and network as well as being used to potentially recover stolen data or money.
Magnet AXIOM Cyber enables forensic examiners to quickly and easily perform IR investigations such as malware or ransomware, APT cases, phishing, BEC scams, to name a few.
Watch this video to see our Forensic Consultant, Tarah Melton, give you an idea about how to use AXIOM Cyber for your IR investigations.
“Magnet helped me quickly identify a ransomware attack and find patient-zero with the Timeline feature!”
—John Wyatt, Digital Forensic Investigator Large Enterprise Telecommunications Company
Here are some other useful ways that our customers have been using AXIOM Cyber to help them with their IR investigations:
Memory – Remotely acquire memory and process it with common Volatility plugins directly integrated into AXIOM Cyber enabling you to analyze running and hidden processes, network connections, and more
Artifacts-First Approach – Analyze file system and memory with an artifacts-first approach that immediately identifies hidden processes and artifacts like Windows Event Logs, USN Journal, $LogFile, Prefetch, Jumplists, LNK files, and hundreds more
Timeline – Track down malware using relative time filters that you can configure for time ranges that are specific to your examination
Connections – Use Connections to see how processes and files are interacting with artifacts and learn how and when an endpoint got infected
Audit Logs – Email phishing is the most common delivery method of malware to unsuspecting victims. AXIOM Cyber allows you to use admin or user credentials to login to Office 365 & G Suite and collect and examine audit logs
Try Magnet AXIOM Cyber for your next IR case by requesting a free trial today!
Intellectual Property is likely the most valuable asset that your company owns. And it can often the target of cyber attacks from external sources like hackers, as well as from insider threats too.
Insiders like employees, contractors, or other third parties with access to privileged information present a very real threat to your IP because it’s so easily available.
“It Can Be Very Difficult to Distinguish Illicit Access from Legitimate Access”
The CERT Guide to Insider Threats states that: “Insiders steal information for which they already have authorized access, and usually steal it at work during normal business hours. In fact, they steal the same information that they access in the course of their normal job. Therefore, it can be very difficult to distinguish illicit access from legitimate access.”
And it’s everywhere from emails, to Office 365 docs, cloud storage, employee workstations, and mobile devices. Keeping the proper checks and balances in place is difficult if not impossible since IP Theft is most often committed by those who have access to it (or even have helped create it).
When investigating cases of IP Theft, it’s imperative to understand at a granular level how files are moving between different locations, how they are being altered, what programs or apps are being used to access them and by whom. It’s equally important to analyze all of this evidence in one case file.
How Magnet AXIOM Cyber Can Help Investigate IP Theft
Magnet AXIOM Cyber helps investigators unite images from multiple evidentiary sources into a single case file and analyze the complete body of evidence as a whole. This is crucial for understanding how IP is exfiltrated from your business.
Watch this video to see our Forensic Consultant, Tarah Melton, demonstrate how AXIOM Cyber can be used to investigate IP Theft.
“Being able to quickly see and find evidence of IP Theft helped us immensely. Specially finding out how the document went from the cloud to a removable drive prior to the employee leaving the company to go work for a competitor.”
—Manager, Digital Forensics Large Media and Entertainment Enterprise
Here are some other ways that our customers are using Magnet AXIOM Cyber to help find evidence in IP Theft investigations:
Connections – Use Connections to follow the path of files and documents to understand where they went, who they were sent to and who sent them
Timeline – Typically insiders will steal IP one month before they resign and one month after they resign, use AXIOM Cyber to build a timeline of events based on relative time filters so you can examine relevant events
Cloud Storage – Acquire evidence from cloud storage services like AWS, SharePoint, G Drive, and more and include it in your examination. Audit logs and other artifacts allow you to track how files moved between physical devices and the cloud
Artifacts-First Approach – AXIOM Cyber’s artifacts-first approach is perfect for helping you quickly identify artifacts like Email and Removable Media: the two most common data exfiltration methods
Covert Remote Acquisition – Covertly acquire evidence from target endpoints with a configurable remote acquisition agent so employees suspected of IP theft aren’t tipped off to an investigation
Magnet.AI – Another common way to exfil data is by using screenshots. Using artificial intelligence, Magnet.AI will immediately surface screenshots no matter where they’re saved in the evidence
Employee Misconduct cases, usually initiated by HR or from managers, can be wide ranging. From harassment, to misuse of corporate assets, to visiting prohibited websites while at work, Employee Misconduct has a very real toll on organizations.
With harassment alone, 70% of people who are bullied or harassed in the workplace end up leaving their employer. This employee turnover can result in significant costs such as retraining, lost productivity, and even potential Wrongful Termination lawsuits—not to mention intangible costs such as the impacts on company culture, workplace morale, and brand reputation.
How AXIOM Cyber Can Help
In these cases, swift action is needed to investigate allegations and reports from internal stakeholders so that the appropriate action can be taken.
Magnet AXIOM Cyber gives investigators the tools to quickly find the evidence that they’re looking for wherever it may be. Whether it’s a Slack conversation, communication via social media or mobile devices, or files that are buried and obfuscated on someone’s hard drive, AXIOM Cyber can help find the evidence needed to drive a decision made by HR or another stakeholder.
Watch this video from our Forensic Consultant, Trey Amick, to see how you can use AXIOM Cyber for Employee Misconduct investigations.
“I used Magnet to find artifacts and evidence from Chrome history along with Timeline to prove that a user misused company asset for sexual harassment and then to access and store inappropriate contents. It easily showed me where the content came from, what was used to open it and where it was stored along with the creation and access times. Very helpful information to win the case.”
Digital Forensic Investigator Fortune 500 Insurance Group
Below are a few other helpful ways that our customers are using Magnet AXIOM Cyber to help them with their Employee Misconduct cases:
Magnet.AI – For sexual harassment cases, use AI to quickly and automatically scan your case file for sexual conversations or images of nudity and surface them for review and analysis
Cloud Sources – Acquire from cloud services like Slack and Office 365 with user or admin credentials. Analyze cloud evidence alongside data from social media to corroborate claims of harassment
Covert Remote Acquisition – Covertly acquire evidence from target endpoints with a configurable remote acquisition agent so individuals accused of harassment aren’t tipped off to an investigation
Timeline – Speed up your investigation by narrowing in timestamps from the file system or artifacts and keywords that were reported in misconduct investigations
Internet Artifacts – A range of artifacts will help you determine if employees were visiting prohibited websites and prove that it was actually them or not
Conversation View – Rebuild chat conversations in a familiar easy-to-read view that simplifies analysis and reporting for non-technical stakeholders
AXIOM Cyber is an innovative new solution, purpose-built for
organizations that need to perform remote acquisitions as well as collect and
analyze evidence from cloud sources, computers and mobile devices.
In addition to all the features found in Magnet AXIOM, our best-in-class digital
forensics solution, AXIOM Cyber enables you to remotely collect evidence from
target endpoints. Its remote collection agent also lets you covertly deploy it
to a device and if connectivity is lost, automatically resume collection of
data from the point where it left off.
AXIOM Cyber also helps organizations quickly understand what
happened by acquiring and analyzing data across all evidence sources—including
cloud, computer and mobile phones. These evidence sources also include
Cloud-related features, such as:
Using admin credentials to access Office 365, G Suite, and Box.com
Acquisition from:
Enterprise cloud services AWS S3 and EC 2
Microsoft Teams
Slack (including Slack’s JSON exports)
Learn more in this how-to video from Trey Amick:
What AXIOM Cyber Can Help You Investigate
AXIOM Cyber can help investigators with a variety of cases, including:
FRAUD — Insiders can use their privileged access to modify records and steal or transfer money for financial gain. AXIOM Cyber helps investigators quickly understand what data was accessed and by who.
INCIDENT RESPONSE — AXIOM Cyber can help mitigate the potentially catastrophic effects of network intrusions and malware attacks with quick root cause analysis—including examining memory. This will help investigators understand how an incident occurred so their organization can be safeguarded in the future.
IP THEFT — The whole history of a file—where it came from, when it was opened, how it was transferred and to whom—can be crucial to solving data exfiltration cases.
EMPLOYEE MISCONDUCT — Claims of workplace harassment or misuse of corporate assets can be investigated by examining artifacts from the file system, cloud accounts, mobile devices.
The Ease of Use and Artifacts-First Approach You Know from
Magnet AXIOM
AXIOM Cyber will incorporate all the great features of Magnet
AXIOM that help in your investigations, including:
The ability to easily produce reports for non-technical stakeholders
Examining evidence from all sources—computer, cloud, and mobile—in one case
Quick performance of root cause analysis
Visualization of key data with features like Connections and Timeline
Acquisition of unencrypted collections of files even when the source drive is encrypted
Ongoing updates that provide you with new features that optimize productivity and performance
Using Magnet.AI to immediately identify images and chats relevant to your case
Image may be NSFW. Clik here to view.Eric Dalla Mura, Detective Corporal at the Burlington Police Department in Burlington, VT
This time last year, we announced the first recipient of the Magnet Forensics Scholarship Award, Eric Dalla Mura from the Chittenden Unit for Special Investigations. We wanted to check in with Eric on how the experience turned out for him. Below is a post from Eric describing the opportunity presented to him with the Magnet Scholarship Award and what he intends to do next.
If you haven’t seen it yet, we’ve also announced this year’s winners of the Magnet Forensics Scholarship Award — read this great Q&A with each winner and find out how you can apply for the Magnet Forensics Scholarship Award if you’re getting started in digital forensics or getting started using Magnet AXIOM.
And we’ve opened up the Scholarship program for 2019, so if you’re an officer who is looking to get a head start in digital investigations, apply today! This year, we’re also offering a scholarship opportunity for experienced digital forensics experts who have no experience with Magnet AXIOM. If you’re toolkit has other solutions and you’ve been wanting to learn how to use AXIOM and incorporate it into your workflow, apply today.
Thoughts from Eric Dalla Mura
Simply put, I could not have been happier with my experience
with Magnet Forensics. When I started the year, I had only some hands-on
experience and an academic knowledge base. I ended the year with much more
confidence in my abilities. Every class I took went far beyond an explanation
of how to use the product; for every topic we covered there was something new
to be learned either from the class instructor or shared by the experienced
students in the room.
The other advice I would give is to ask questions and get to
know the people in the room. I quickly
saw that Magnet Forensics is great about responding to end users’ needs and
sharing knowledge. In every class I was in, there was a developer or two in the
room taking the class and taking notes to improve the product.
I had a busy 2019 and ended the year transferred from the Burlington
Police Department General Investigations Bureau to the county-wide Chittenden
Unit for Special Investigations. I’ve been using AXIOM regularly and took
advantage of the cloud license to quickly acquire and process victim’s
accounts. I’ve also been using it to process warrant returns much more
thoroughly. As a department, we have been able to get a lot more work done in-house
on desktop and mobile systems without having to wait in the statewide queue.
The experience has left me wanting even more. I intend to get
into a graduate program this fall and more importantly work to establish a
sustainable digital forensic program at our department. I genuinely appreciate
the opportunity, knowledge and the contacts I made in the digital forensic
community that Magnet Forensics provided me.
Apply for a Magnet Scholarship Award Today
We want to give promising new officers an opportunity to get
a head start in digital investigations. If you are currently performing a
non-technical role and would like to explore future career opportunities in
digital forensics, or you’re currently inexperienced with Magnet AXIOM, then
this scholarship program is for you. Visit our
Scholarship Program page and send in your application today!
Last year, we were excited to get expand the Magnet Forensics Scholarship Award Program to include candidates that were new to digital forensics and those that were new to Magnet AXIOM.
We’re proud to announce the two winners for 2019: Kate Newrick, Investigator with the Digital Child Exploitation Team within the Department of Internal Affairs in New Zealand, and Lawrence Mowery, Computer Forensic Detective with the Moscow Police Department in Idaho. We caught up with Kate and Lawrence to find out more about their experience in the field, their hopes for the Magnet Forensics Scholarship Award, and more — read more below.
We also checked in with the first recipient of the Scholarship, Eric Dalla Mura, who gave us an update about how he was able to make great use of the advantages given to him by the program. Read his thoughts here.
Nominations are also now open for the 2020 Magnet Forensics Scholarship Award! We’ll again be offering two scholarships: one for someone who is brand new to digital forensics and another for someone who already has experience in the field but hasn’t had a chance to learn more about Magnet AXIOM.
Q&A with the 2019 Magnet Forensics Scholarship Award Winners
Image may be NSFW. Clik here to view. Kate Newrick, Investigator with the Digital Child Exploitation Team within the Department of Internal Affairs in New Zealand
Magnet Forensics: Tell us about your current role/department.
Kate Newrick: I am an Investigator with the Digital
Child Exploitation Team within the Department of Internal Affairs in New
Zealand and have been working in this role for approximately 18 months.
Lawrence Mowery: I was hired as a lateral officer in December of
2018 to fill the newly vacated position of Computer Forensic Detective with the
Moscow Police Department.
Magnet Forensics:What has been your policing
experience up until now?
Image may be NSFW. Clik here to view.Lawrence Mowery, Computer Forensic Detective with the Moscow Police Department in Idaho
Lawrence Mowery: In 2010, I began my law enforcement career as a
detention deputy. I was as a patrol officer position with the Lewiston Police
Department in 2012. During that time, I enjoyed being a Field Training Officer
(FTO) and Breath Test Specialist (BTS).
I am currently a POST Certified Emergency Vehicle Operations
Course (EVOC) Instructor for the State of Idaho and have recently become a new
member of the Latah County Regional SWAT.
Kate Newrick: While I have no policing experience per
se, I have been working in different regulatory roles for approximately eight
years. I am relatively new to my current role, but I have previously worked as
an Investigator for both the Electronic Messaging Compliance Unit and Charities
Services teams, also within the Department of Internal Affairs. The Electronic
Messaging Compliance Unit investigates the sending of unsolicited commercial electronic
messages (spam) whereas the Charities Services role was focused around
financial investigation of charities to ensure that income was used for
charitable purpose.
Magnet Forensics:How would you describe your
knowledge of digital forensics up until now?
Kate Newrick: While I have completed some basic
EnCase Computer Forensic and Mobile Device Forensic training courses as part of
my previous role, I would describe my current forensic knowledge as
limited. My role in the Digital Child
Exploitation Team has a much higher requirement for forensic knowledge and
skills, so I certainly have a lot to learn!
Lawrence Mowery: Prior to my career in law enforcement, I
worked at a small Internet Service Provider working with networks and servers.
In 2014, I graduated from Liberty University with a bachelor’s degree in
Multidisciplinary Studies (Criminal Justice and Religion). During my
enrollment, I completed a few courses in computer forensics.
For the past year, I have been learning on the job and
attending as many online webinars as possible to learn the vast expanse of
digital forensics. I have begun networking with those who have been in the forensic
field in an attempt to assist me in learning the various tools and practices
for my investigations. I have also been working with the Idaho Internet Crimes
Against Children’s (ICAC) Taskforce and hope to become a taskforce member
sometime in 2020.
Magnet Forensics:What made you want to get into
the field?
Lawrence Mowery:
My
past computer experience, along with the ever-changing digital technology
world, made digital forensics an exciting and fulfilling opportunity for me. I
have always enjoyed the systematic approach to investigations and the often
need to approach problems from peculiar or different angles.
Kate Newrick: Prior to entering regulatory fields, I worked with victims of sexual abuse who were experiencing mental injury as a direct result of that abuse. My role was to assess whether the person was entitled to Government-funded counselling sessions and monitor their progress once they were in treatment. While this is a great initiative for those individuals who have survived sexual abuse experiences and are struggling with the ongoing effects of those experiences, I quickly became aware that I wanted to work in an area that aimed to prevent or reduce abuse experiences occurring in the first place. I feel very privileged to now be working as part of a team, and international efforts, which aim to combat child sexual abuse.
Magnet Forensics:How did you hear about the
Magnet Forensics Scholarship Program?
Kate Newrick: A forensically savvy colleague saw the Scholarship Program advertised and, along with our Manager, recommended that I apply as it would be a great training opportunity for me as a new Investigator in this field.
Lawrence Mowery: I found out about the Magnet Forensics Scholarship Program online while doing research for training opportunities and the resources to obtain certification for Magnet Internet Evidence Finder (IEF). I read the Q&A with Detective Corporal Eric Dalla Mura, with the Burlington Police Department (Vermont), and informed my supervisors the scholarship was something we needed to send an application in for.
Magnet Forensics:What are you hoping to achieve
after completing the Scholarship Program?
Lawrence Mowery: The scholarship opens a few major doors for myself and my department. The first is getting access to Magnet AXIOM. I had previously been using IEF on most of my investigations but knew Magnet AXIOM was the software I wanted to be using in the future. The scholarship allows me the necessary migration path to Magnet Forensics’ flagship software.
Secondly, the Training Annual Pass (TAP), was the very thing I was researching when I found out about the scholarship. The opportunity to take in-person and online classes to gain the knowledge and certifications needed to provide solid testimony in a courtroom classroom is priceless.
And finally, I had the opportunity to meet some of the Magnet
Forensics employees at a recent ICAC convention and was impressed with their
knowledge and determination to make the software the best. I heard other users
discuss suggestions and needs. They were always met with positive and
supportive feedback. It was amazing to see that Magnet Forensics does not only
provide great software, but great employees who will be valuable networking
partners.
Kate Newrick: I believe that improving my forensic
knowledge and skills will not only greatly increase my ability to locate
pertinent evidence during forensic examinations, but also allow me to speak
authoritatively about the tools and processes used in such examinations during
any legal processes which result from an investigation. Most importantly, I
hope that completing the Scholarship Program will ultimately enhance my ability
to identify and assist children at risk.
Magnet Forensics:What are you looking forward to
learning in the program?
Kate Newrick: I’m looking forward to building a
really solid foundation in forensic knowledge and skills, which I hope to be
able to share with my colleagues and apply successfully to my
investigations.
Lawrence Mowery: I am looking forward to gaining my certification and becoming trained to use Magnet AXIOM to the fullest. Most users of any type of software do not use the software to the fullest because of two factors: they do not understand how the software works and interacts with the data and they do not comprehend the extent of what the software can accomplish. With this scholarship, I am going to learn how to fully utilize the software for my investigations and learn how it is doing the work for better courtroom testimony.
Magnet Forensics:How has the support been from
your leadership?
Lawrence Mowery:
My
administration has been outstanding in their support for my position. Chief
James Fry has laid out a plan for the department to have one of the best
forensic labs in the region. And although we are a small department, we assist
in digital investigation cases to dozens of agencies ranging from local
municipalities to the FBI. My administration’s vision and support were a major
factor in my joining the Moscow Police Department as the computer forensic
detective.
Kate Newrick: I am very fortunate to have extremely
supportive leadership who recognize that this is an amazing opportunity not
only for my own professional development, but also for the development of the
wider team.
Magnet Forensics:Any other thoughts you would
like to share?
Lawrence Mowery:
I have been married to my beautiful bride for 16 years and have two
rambunctious and often-times quarrelsome boys.
Kate Newrick: Both myself and my organisation are
hugely grateful for this opportunity and I can’t wait to start learning!
Learn More About the Magnet Forensics Scholarship Program
We want to give promising new officers an opportunity to get a head start in digital investigations. If you are currently performing a non-technical role and would like to explore future career opportunities in digital forensics, or you’re currently inexperienced with Magnet AXIOM, then this scholarship program is for you. Visit our Scholarship Program page and send in your application today!
If you’re looking for to expand your knowledge base on advanced forensics and improve your computer investigations, our Magnet AXIOM Advanced Computer Forensics (AX250) course is just for you — and it’s easier than ever to take part.
An expert-level four-day training course designed for participants who are somewhat familiar with the principles of digital forensics, AX250 is now available as an online self-paced course — giving attendees the opportunity to take the class anytime, anywhere.
Students will get a training experience comparable to taking the class in any other format, including Classroom Instructor-Led and Virtual Instructor-Led. By taking AX250 as an Online Self-Paced course, you will not only get the added convenience of a flexible location, but the option to take the course at your own pace.
Magnet AXIOM 3.10 is now available to download within AXIOM or over at Customer Portal. AXIOM 3.10 allows you to acquire from Uber, get new timestamps in Google search URLs, as well get more than 20 updated artifacts.
Uber is a perfect example of the recent trend among apps to
have more and more data stored on the Cloud versus devices themselves.
When dealing with a consenting individual that has access to their phone, you can now acquire their cloud Uber data using Magnet AXIOM 3.10— including details of each trip the user has taken using Uber (such as start and end addresses, times, and coordinates.) This can be helpful to place the user at a specific location at a given time.
Timestamps in Google Search URLs
Building on AXIOM’s strong support for examining search
history, you can now get even more information from Google search histories.
Two new evidence items can be analyzed in Magnet AXIOM 3.10:
Previous Page Load Date/Time (sxsrf= value):
this timestamp reflects the time when the page (google.com) was loaded prior to
the actual search was conducted
Page Load Date/Time (ved= value): this timestamp
reflects the time when the actual search was conducted
This timestamped data is in the Google search URL itself and
can help you draw conclusions about how a user’s browsing habits.
We’ve updated our Passware integration, which included minor
improvements to supporting McAfee encryption. Passware (and therefore AXIOM)
now supports up to version 7.2.2.x of McAfee.
With AXIOM 3.10, mounted drives are now scanned properly and passed to Passware accordingly and returned decrypted.
Additionally, we’ve also updated AXIOM to allow for editing column filters in Examine.
Artifact Updates
Google Searches (macOS/Windows)
Videos (macOS/Windows)
Adium (Windows)
Dropbox (Windows)
Shim Cache (Windows)
Skype (macOS/Windows)
Windows Mail (Windows)
Remote Desktop Protocol (Windows)
Significant Locations (iOS)
Signal (iOS)
Messenger (iOS)
Instagram (iOS)
Tinder (iOS)
Pinterest (iOS)
VK (iOS/Android)
Twitter (iOS)
GroupMe (Android)
Tumblr (Android)
Google Maps (Android)
Device Information (Android)
Wallet Transactions (iOS)
Get Magnet AXIOM 3.10 Today!
If you’re already using AXIOM, download AXIOM 3.10 over at the Customer Portal. If you want to see how AXIOM 3.10 can help you find the evidence that matters, request a free trial today!
