AXIOM supports Facebook Warrant Returns that are in a .zip package as part of our Warrant Return support. Unlike Apple returns, Facebook and other providers don’t require you to decrypt the package before loading. Facebook specific content can include the Facebook Audit Log, Friend requests, Friends, Messenger Messages, Photos, Status Updates, and Wallposts. The Facebook Audit Log artifact can include Comments, Likes, Search, Share, and Unfollowed Activities along with their timestamps. This information can be put on a Timeline with other content from your investigation to tell a larger story. There is value to collecting content from the ISP even if you have the mobile device as you may find additional artifacts, especially from the Audit Log artifact.

So how do you load these returns? What does the content look like? Check out Tarah Melton’s video of processing a Facebook Warrant Return:

If you have any comments or questions feel free to reach out to me at Jessica.hyde@magnetforensics.com. Has something changed in a Facebook return you have received? Is there more data available you would like us to support? Please drop us a line and let us know.

The post Facebook Warrant Returns in Magnet AXIOM appeared first on Magnet Forensics.

As part of our series on Warrant Return content we wanted to show you some of the content that can be parsed, displayed, and searched in Magnet AXIOM from Warrant Returns. So, what kind of evidence can you find? Let me show you. First up let’s discuss Apple. Before loading an Apple warrant return, please ensure you decrypt the package using the instructions provided by Apple. Now your decrypted backup will include encrypted backups! Nested encryption is fun.

Once you’ve decrypted the package, AXIOM Process will decrypt the encrypted backups contained within the decrypted warrant return. Below is an example of some of the content returned with a sample Apple return. Because entire backups can be included, you can get the same content as you would on a regular backup. Including some 3^rd party chat applications, pictures, video, documents, emails with header information,

Apple Warrant Returns contain emails sent to or from the associated iCloud email address, for example jsmith2020@icloud.com. Not only will you get to/from information, full header, and body of the email that is completely searchable along with the associated timestamp, but HTML emails are viewable as they are displayed to a user in the Preview pane for easy review.

If you have any comments or questions feel free to reach out to me at Jessica.hyde@magnetforensics.com. As warrant returns formats are subject to change at any time, please reach out if you discover a change in support!

The post Apple Warrant Returns in Magnet AXIOM appeared first on Magnet Forensics.

For anyone who gets returns from warrants return content from Internet Service Providers (ISPs), searching and analyzing that content can be problematic.  The returns are not in a standard format and there are a vast number of artifacts.  The formats can change and typically come in .zip files that can include .html, .txt, .json, .csv, .xls, .pdf, .mbox, .jpg, .png, and more.  In addition to having a variety of file types, the files can be nested in folder structures and multiple archives. How do you quickly look at an email or find the important or relevant chat? How do you timeline that content? And how do you coordinate it with existing data that you have from other sources? There is a need to be able to analyze these files effectively.

There are several additional challenges to analysis of warrant returns. In addition to the ever-changing formats, nested structures, and lack of standardization, it is difficult for researchers to get access to these returns.  The Cloud Team at Magnet Forensics works closely with law enforcement practitioners who are the first to know when there are changes to the packages provided by ISPs. Additionally, we work with law enforcement who can share redacted content with us so that we can effectively create parsers. If you have content you can share with us, we welcome that at any time. It takes a community to parse the content.

However, because the formats often contain file types that AXIOM supports, AXIOM can still partially support some cloud artifacts before we are able to necessarily parse logical content from some of the artifacts to create new artifacts. For example, a nested .mbox will still be parsed as email content and picture formats will still appear in the gallery. As we understand .zip archives we are still able to provide the pathing.

If you are familiar with AXIOM, you may already be conducting your computer and mobile investigations in the tool.  We have added support in AXIOM to aid in your ability to deal with this content through our support of warrant returns. Currently we support warrant returns from Apple, Facebook, Google, Instagram, and Snapchat. We are constantly working on additional formats. Are there formats you would like to see us support that you are seeing in your investigations?

One of the great things about using AXIOM to look at your warrant return data is that you can also view that data alongside your computer and mobile data. This allows you to look at the evidence more holistically and to timeline events in a more complete manner.

Want to see two examples of how to load warrant returns into AXIOM? Check out Tarah Melton’s videos on Facebook and Instagram warrant returns:

Want to know more about the artifacts we support? Check out the individual posts on:

• Apple
• Facebook
• Google/Gmail
• Instagram
• Snapchat

If you have any comments or questions feel free to reach out to me at Jessica.hyde@magnetforensics.com. We would love to hear your thoughts on additional warrant returns to support and humbly look forward to any datasets you may be able to share.

The post Warrant Return Analysis in Magnet AXIOM appeared first on Magnet Forensics.

The Forensic 4:cast Awards, coordinated by Lee Whitfield, has been a great way to recognize those in the DFIR community who go above and beyond to contribute their amazing work in the field by sharing their knowledge, research, and tools.

Over the years, some amazing contributors to DFIR have been recognized in the Forensic 4:cast awards, and we at Magnet Forensics are incredibly honored to have been voted DFIR Commercial Tool and DFIR Team of the Year last year! Nominations for this year are open until May 15, so we hope you’ll take a moment to recognize us again this year.

Some of the forensic examiners here at Magnet Forensics have been given the opportunity to share some of our own personal recommendations of who we are nominating. If you haven’t read the picks from my colleagues, Jessica Hyde and Trey Amick, you can do so here and here! The following are (some of) my own nods to the community! These are opinions of my own, and not of Magnet Forensics.

DFIR Resource of the Year

Giving a shout out to Brett Shavers for hosting the DFIR.training site for DFIR Resource of the Year. DFIR.training houses a TON of resources for the DFIR community and is continuously updated. Here you’ll find links to training, webinars, tools, blogs, jobs, keyword lists, white papers, CTFs…. seriously, the list goes on and on.

And if you are looking to share with the DFIR community, it’s a great place to submit your own resources that you use in your examinations! DFIR.training is an awesome place to find heaps of useful resources in DFIR.

DFIR Degree Program or Training Class of the Year

Full disclosure that I am a graduate of this program myself, so I know firsthand the excellence of the Digital Forensics Undergraduate Program at Bloomsburg University. This is a repeat nomination for me from last year, but it is still a deserving one! Students in the program graduate with a solid knowledge of digital forensics, and are trained to use some of the more popular commercial forensic tools to prepare them for a career in the DFIR industry. The BU Digital Forensics program is also a National Center of Academic Excellence (CAE) in Cyber Defense Education with a focus in the area of digital forensics by the National Security Agency and the Department of Homeland Security. This is an achievement only attained by meeting very stringent criteria in the curriculum, which demonstrates the quality of education given by the faculty. Additionally, they host an annual digital forensics conference, BloomCON, which in past years has drawn in more than 500 attendees, with tons of valuable lectures, labs and forensics challenges.

DFIR Mentor of the Year

I LOVE this new category in the 4:cast awards this year. And yes, again full disclosure, my nominee for this category is also a Magnet Forensics employee. But my reasons for nominating Jessica Hyde for DFIR Mentor of the Year goes way beyond that. Not only has she been a personal mentor to me, but Jessica has continuously been a champion for the greater good of EVERYONE in the DFIR Community. It goes without saying that her DFIR knowledge is significant, and the additional efforts that she participates in, such as her work with DFRWS, helps to motivate the community as a whole. Beyond that, you truly won’t find anyone else who goes out of their way to support and promote her fellow forensicators as she much as she does, including urging others to share to the DFIR community, offering kudos to those who contribute, and spreading the word of the great work being done in DFIR across the board. So, this kudos goes to you, Jess!

DFIR Social Media Contributor of the Year

This one easily goes to Brian Moran and Kathryn Hedley for me. Not only do they share useful DFIR content for the community, but additionally, the #DFIRFit movement is so important! We are all passionate about the work we do in digital forensics, but Brian and Kathryn use their social media platform to encourage other forensicators to get out from behind the keyboard for a bit! Even when I’m heads down in research or projects, reading their posts inspires me to make sure I take a break from the DFIR world and get moving!

DFIR Newcomer of the Year

A fantastic newcomer in 2019 who we are lucky to have join the Magnet Forensics family is Mike Williamson. Prior to joining the Magnet team, Mike created his blog and has continued to share his knowledge and research. Of note is his ability to articulate how to dive into the world of reverse engineering mobile applications and the value you can get from doing so. Just check out this post on decryption of the Private Photo Vault app as an example! Great work for sure, and I suspect we will continue to see even more awesome contributions to DFIR from Mike in 2020.

Digital Forensic Investigator of the Year

Alexis Brignoni. No question here. Alexis’s contributions to the DFIR community are unparalleled. Throughout 2019, he continuously shared his tools, knowledge, and research, making it clear that he is an investigative force to be reckoned with! But don’t kid yourself, he is as humble as they come and continues to strive to learn and promote within the DFIR community, and makes sure to encourage examiners to use best practices when working digital forensics investigations. In 2019, Alexis began compiling his iOS parsing scripts into one tool called iLEAPP, giving examiners an easy way to review many key artifacts in those devices. Thank you, Alexis, for your contributions and collaborations in the DFIR community!

Those are just a few of my picks for the Forensic 4:cast Awards! Nominations end May 15, 2020, so make sure to submit those in DFIR who have helped you along the way in 2019! We appreciate the support of our customers and always value your feedback, so please don’t hesitate to reach out at tarah.melton@magnetforensics.com

The post (Some of) Tarah Melton’s Forensic 4:cast Award Nominations appeared first on Magnet Forensics.

This announcement is also available in Japanese and Korean.

ブログを見るためにここをクリックしてください。

블로그를 보시려면 여기를 눌러주세요

We are proud to announce that GrayKey is now available in Japan and South Korea as part of our exclusive technology and distribution partnership with Grayshift. At the heart of this partnership is a shared commitment to helping law enforcement agencies seeking justice and protecting the innocent.

GrayKey is available for purchase directly from Magnet Forensics to law enforcement agencies in select countries around the world and with this expansion, we’re excited to be able to offer it to the Asian market.

While Magnet AXIOM offers the most robust analysis and reporting capabilities, GrayKey offers a state-of-the-art and industry-leading image acquisition and unlocking scheme for currently marketed iOS devices. Using both in combination, law enforcement agencies will have a cost-effective solution to get the most relevant evidence from iOS devieces while maintaining control over the entire analytical process.

Watch this video in Japanese or Korean to see why our Founder and CTO, Jad Saliba and Grayshift Co-Founder David Miles are so excited about this partnership:

How Can an Investigative Agency Buy a GrayKey?

To contact a Magnet Forensics sales representative, fill out the form at the bottom of our Japanese and Korean pages . Our team looks forward to sending you a demo of GrayKey and Magnet AXIOM.

If you have any questions, please contact us by emailing sales@magnetforensics.com. Or, if you’re in Japan, you can contact our public partner Quality Net.

The post GrayKey Now Available Through Exclusive Partnership in Japan and South Korea appeared first on Magnet Forensics.

As examiners and investigators already know, the exponential growth of casework is daunting. As devices get smaller and storage sizes get bigger, forensic labs are seeing the effects of these growing data hauls. The International Data Corporation (IDC) predicts the world’s collective digital data to grow to roughly 175 zettabytes (that’s approximately 175 billion terabytes!) by the year 2025. The time and human effort it now takes to examine these devices thoroughly creates backlogs and expenses that are almost unavoidable.

Automation in digital forensics casework can help alleviate some of these issues, but unfortunately it is often misunderstood. The intent of automation is not to undermine the need for skilled examiners, but to empower and enable them to focus on the important casework that requires advanced knowledge of digital forensics. Even with the implementation of automation, the need for skilled examiners is not going away! In fact, it’s estimated by the U.S. Bureau of Labor Statistics that job growth in the digital forensics field will have grown by 28% between 2016 and 2026. Automation helps to better utilize the resources that you have available in your forensic lab, both human and machine. Here’s how:

1. Alleviate Backlogs

The repercussions of having significant backlogs means that labs must prioritize the cases they work, resulting in “lower value” cases being put on the backburner. There is a hidden, suppressed demand of tackling those cases that are being temporarily thrown to the wayside, but many times investigators are effectively being trained not to submit lower priority cases which are sitting at the back of the queue.

There is much missed opportunity to efficiently process and surface valuable artifacts that will easily and rapidly bring those cases to an effective close. The implementation of automation in these cases can uncover some of those artifacts, allowing examiners to efficiently report on the cases that may otherwise never be investigated due to an overwhelming caseload.

2. Streamline Repetitive Tasks

Regardless of what type of case we are working, it goes without saying that there are processes that we tend to run over and over again. Of course, we aren’t suggesting using ONLY automation in your forensic lab. Using the toolbox approach to processing case data is ideal, which causes examiners to constantly perform the same forensic processes on their case data.

For ICAC examiners, this could mean the repetitive task of moving data out of one tool via a VICS JSON export and into another for deeper analysis and review. For those examiners dealing with major crimes or counterterrorism, much time might be spent dealing with the sheer volume of data that you come across and exporting some of the key items like chats or web history out to different stakeholder groups. In the corporate environment, examiners may spend a lot of time running many of the same scripts in every case and consistent processing with the same software, such as Volatility.

Utilizing automation allows forensic labs to streamline these processes, letting examiners off the hook for menial tasks like “clicking next” time and again. Multiple automation workflows can be implemented, each one customized to suit the needs of the lab and the types of cases that are consistently worked. This allows for examiners to spend their time where its best spent – gaining access to the suspect devices, analyzing the data, and reporting on their findings. This also creates a repeatable workflow helping to ensure that all cases are processed according to the Standard Operating Procedures (SOP) implemented in your lab. Adhering to your SOP can be incredibly important if you have or are seeking formal accreditation, such as ISO 17025.

3. Utilize Machines During Normal Downtime

In forensic labs, we rely on our hardware to work as hard as it can for the fastest processing time possible. If possible, we upgrade our storage drives, RAM, and CPU in hopes that the processing time for our case data decreases dramatically and we can get to our examination as soon as possible. Many times though, examiners are unable to fully utilize this processing power due to downtime between processes.  

Unfortunately, examiners cannot (and should not!) work 24/7 to make sure these processes are initiated on weekends or in the middle of night, however utilizing automation can make sure that your hardware is put to use around the clock. When one process finishes, another can be in the queue and immediately executed, regardless of the time of day.

With automation, you can also take advantage of parallel processing, allowing for multiple processing nodes to work simultaneously to run several forensic tools and scripts at the same time! Then, on Monday morning, your skilled examiners can get right to work with the data that has already been processed. In our experience and testing, we found that using automation on a case containing approximately 1.7TB of data reduced downtime by 94%, allowing examiners start reviewing the evidence 2 days sooner.

4. Focus on the ACTUAL Forensics!

Once automation has been utilized to run your routine processes, examiners are now able to dive right into the analysis of the processed data. What is very clear when using automation in a forensic lab is that the need for skilled examiners will never go away, and are arguably even more vital now more than ever. The processed data will still need an expert’s eyes on it because at the end of the day, data is just data until forensic analysis is performed to truly tell the digital story. Automation allows examiners to dedicate more time to analysis and reporting, ultimately enabling them to spend that time building a stronger case. Not only are examiners needed to analyze the processed data, but also to identify any errors that may have occurred during processing. Encryption, unsupported file systems, or even just bad sectors can cause issues with processing, and examiners require the skillset to be able to recognize when a deeper look at the processed data may be required.

The key takeaway is that it is not the forensic examination, analysis, testing, and validating that should be seen as being automated in a forensic lab. It is the menial tasks, the tedious button clicks, and the status bar watching that we want to take off the skilled examiner’s plate so they can then do the deep dive. Ultimately, improving speed and efficiency will help alleviate the backlogs, reduce reliance on outsourcing casework, and make the evidence more quickly available and accessible, without sacrificing the quality of your investigations and forensic analysis in your lab.

Want to learn how Magnet AUTOMATE can help you complete investigations faster by automating repetitive tasks so examiners can focus on the complex problems? Visit the Magnet AUTOMATE page and fill out the form to contact us.

The post Why Automation in Digital Forensics? appeared first on Magnet Forensics.

Every day in May we have amazing presentations lined up for you at Magnet Virtual Summit 2020—and now you can register to save your spot !

Head over to the registration page to register for the event and select all of the sessions you want to participate in. For each session you attend, you will be issued a certificate that you can use to count towards training time requirements.

Magnet Virtual Summit Keynote

Join us on May 4 at 11:00AM ET/5:00PM CET for our Feature Presentation where our Founder & CTO, Jad Saliba and VP of Product Management, Geoff MacGillivray, will take the “virtual” stage (from their homes) and share exciting updates, including: The latest industry trends and how our software solutions are helping labs around the world cope with current challenges, an exclusive look at our latest solutions & innovations, and the unveiling of Magnet AXIOM 4.0—providing new ways to work through cases faster, provide greater flexibility when reporting, and have more confidence when processing cases. All while recovering data from the from the most evidence sources.

Magnet Social Hour

We’re finishing off the first day of the Magnet Virtual Summit with a Magnet Social Hour—so join us on May 4 at 4:00PM ET for a casual “Ask Us Anything” hangout with Jad, Geoff, and other members of the Magnet Forensics team. We’ll have our favorite drinks in hand, and we hope you do too! Make sure to sign up to gain access while selecting your sessions during registration.

DFIRFit 2020

We have teamed up with Brian Moran and Kathryn Hedley to plan an entirely virtual #DFIRFit event, so you can participate from wherever you are in the world! On May 12, we ask that members of our community do physical activity (of any kind) for at least 30 minutes and share a picture of it on Twitter, tagging it with #MVSDFIRFit2020 (and yes, costumes are encouraged!)

As in past years, we encourage a charitable donation, but it’s not required. However, we have a special treat for those who do! Make a minimum donation of at least $30 (USD) to one of the three selected charities (Play Like A Girl, Middle Tennessee Emergency Response Fund, or Gates Foundation Combating COVID-19 Fund), and you’ll qualify for a swanky limited-edition prize pack (please note, supplies are limited!).

For more information, check out MVSDFIRFit2020.com.

DFIR CTF Challenge and a Recording of the Forensic Lunch Podcast

When registering, be sure to save your spot for our DFIR CTF Challenge on May 12 at 5:45ET—a question-and-answer-style challenge where you will get to test your forensic skills and compete for the chance to win prizes! Upon registration, you will be supplied with the necessary files required to be installed on your laptop in advance of the competition.

We’re also excited to welcome The Forensic Lunch again this year, as they stream a live broadcast on May 13 at 1:00PM ET, hosted by David Cowen and Matthew Seyer featuring Jad Saliba, Jessica Hyde, Director of Forensics, Brian Moran, and the winner of our CTF!

We Can’t Wait to Kick Off #MVS2020!

Save your spots today at our Magnet Virtual Summit registration page! Have any questions? Visit www.magnetvirtualsummit.com for more info or feel free to email us at: magnetvirtualsummit@magnetforensics.com.

Be sure to share your favorite sessions, insights, and, if the mood strikes you, costumes on social media! Use the #MVS2020 hashtag on Twitter, LinkedIn, Facebook, and Instagram so we can continue to bring the DFIR community together—even when we’re apart.

The post Magnet Virtual Summit Registration is Now Open! appeared first on Magnet Forensics.

Every year around this time, we get to submit nominations for our favorite tools and people in the DFIR industry for the Forensic 4:cast awards. I really like these awards because they’re the closest thing we have to peer or examiner focused awards. You might consider it like the people’s choice awards for digital forensics. There are two steps to the process: nominations and voting. Currently, nominations allow us to select our favorites for any of the categories and write in why we chose to nominate them (the full list of categories and rules can be found here.)

Once nominations are finished, Lee Whitfield picks the top three nominations for each category and everyone gets the chance to vote for the favorite. Here at Magnet Forensics, a few of our examiners always pick a few of our favorites and write a blog about our reasons why. I avoid reading or discussing the picks of my colleagues before making my choices because I don’t want them to influence my choices (after writing this, apparently Jessica and I were on the same page for a lot of things , anyway here’s my list):

DFIR Groundbreaking Research of the Year

Given that my vote last year for this topic was to nominate the exploitation work done by Grayshift and their GrayKey tool which opened up a whole new world in how we do iOS investigations, it’s no surprise that my vote this year goes to the checkm8 exploit developed by @axi0mX. This bootrom exploit has allowed anyone to access any iOS device up to the A11 chipset (iPhone X) and set the groundwork for other tools to build exploits and extraction methods built on top of this exploit to gain access to the most valuable data stored on iOS devices. This will enable anyone to conduct research on iOS data that otherwise might have been restricted before. I don’t think there’s been a breakthrough that has benefited the DFIR community as much as this exploit in 2019.

DFIR Article of the Year

This year I’ve chosen to nominate Bradley Schantz’s article: “AFF4-L: A Scalable Open Logical Evidence Container”. AFF4 as a forensic image format has been around for several years (since 2009) and is starting to pick up traction in forensic tools because of its well defined and well thought out structure that balances evidence integrity, performance, and storage use. Dr. Schantz has expanded his work on AFF4 to include the AFF4-L format for logical containers.

The AFF4-L image format for logical containers is needed even more in our industry today as more often than not, physical images are becoming less and less relevant. Mobile acquisitions, remote computer collections, and cloud sources almost always output as logical data and it is not efficient (or sometimes possible) to obtain a physical drive or full volume from those sources. Existing logical evidence formats don’t accommodate for these needs and anyone interested in the future of how to handle digital evidence from these important sources needs to read the article.

DFIR Resource of the Year

This past year, I’ve become quite fond of the 13Cubed videos published on YouTube. A ton of great, quick videos showing various topics in DFIR and some security in general. I’ve done quite a few howto videos in my years here at Magnet Forensics and can attest to how challenging a good video can be. These videos are always clear, straight-forward, and most of all, easy to follow for new and experienced examiners alike. Many of the videos are on topics I’ve always been interested in but never had a chance to dive into myself, or some topics I’ve spent years investigating and just want a quick refresh to potentially catch anything new or I might have missed. All the videos strike a good balance of length and details which isn’t always easy to do.

The post Jamie McQuaid’s 2020 Forensic 4:cast Nominations appeared first on Magnet Forensics.

Hi! It’s Jessica Hyde with Magnet Forensics. While we are disappointed to not be running/walking the streets of Nashville like we did last year, we are excited to be bringing some of the same flavor to this year’s Magnet Virtual Summit DFIRFit 2020 event! Here are some memories captured by Kevin Pagano last year. We really enjoyed the participation from Brian Moran and Heather Smith as they played the part of dinosaurs roaming the streets of Nashville to help us raise money for charity.

Well this year, we have teamed up again with Brian Moran and Kathryn Hedley to plan an entirely virtual #DFIRFit event, so you can participate from wherever you are in the world! On May 12, we ask that members of our community do physical activity (of any kind) for at least 30 minutes and share a picture of it on Twitter, tagging it with #MVSDFIRFit2020 (and yes, costumes are encouraged!) As in past years, we ask that participants make an optional charitable donation as part of the event, but it is not required to participate in the #MVSDFIRFit2020 challenge. However, we have a special treat for those who do make a minimum donation to one of the three selected charities (Play Like A Girl, Middle Tennessee Emergency Response Fund, or Gates Foundation Combating COVID-19 Fund), you can qualify for a swanky limited-edition prize pack* (*please note, supplies are limited). For more information, check out MVSDFIRFit2020.com.

And as yet another bonus for this year (so many bonuses!) our prehistoric motivation is back. While we may not be able to be chased around Nashville by them this year, they can still provide encouragement, motivation, and laughter on your respective #DFIRFit journey, as training for #MVSDFIRFit2020 has already begun!

So, What Can You Do to Participate?

1. Do some type of physical activity (run/walk/jog/weightlift/bike/yoga/dinosaur wrangling/curling/etc.) for at least 30 min on May 12th, as we all virtually get #DFIRFit together apart.
2. Post a picture/video of that activity on Twitter with the #MVSDFIRFit2020 (preferably in costume/#DFIRFit apparel/#MVSDFIRFit2020 gear)
3. (Optional) Fill out the form on mvsdfirfit2020.com and donate to one of the three designated charities:
   – Play Like A Girl
   – Middle Tennessee Emergency Response Fund
   – Gates Foundation Combating COVID 19

Oh, remember how we mentioned swag prize packs? – Heck yeah!

1) There is an awesome prize pack for those who donate including a limited edition* medal, sticker, magnet, and webcam cover. Brian designed this incredible logo for the originally planned event:

(*quantity is limited to the first 30 individuals who register)

2) BONUS: Magnet Forensics will have a special prize for the most creative picture/video of a #DFIRFit activity with the #MVSDFIRFit2020 hashtag on May 12th. We will announce the winner live on the Forensic Lunch on May 15th.

3) Also, Brian modified the original logo and created designs for t-shirts and hoodies! So if you are interested, #MVSDFIRFit2020 branded items will be available for purchase here.

Why That Design?

As you may remember from last year, participants in the run/walk got a limited-edition running bib with a similar logo, that you were able to customize however you saw fit. For this year’s logo, Brian did an incredible job showing the Nashville skyline, the Magnet Logo, and the dinosaur motivation for the walkers and runners! Brian even made the medal in the shape of Davidson County, Tennessee where Nashville is located. For the stickers and magnets, the logo was updated from Magnet User Summit to Magnet Virtual Summit.

We can’t wait to see how you are getting #DFIRFit and how much we can raise as a community for these great causes. I want to thank Brian Moran and Kathryn Hedley not only for all their work helping create this amazing event, but for all the motivation they have given to the entire community with the #DFIRFit Movement. Please consider nominating them for Social Media Contributors of the Year for the Forensic 4:cast awards.

We are looking forward to your pictures and to seeing you all at the Magnet Virtual Summit starting May the 4th! If you have comments or questions, be sure to reach out to me at jessica.hyde@magnetforensics.com

The post Magnet Virtual Summit DFIRFit 2020 = #MVSDFIRFit2020 appeared first on Magnet Forensics.

Introducing one of our newest Magnet Forensics Trainers, Chris Blight.

Chris comes to us from an extensive background in UK law enforcement and, as a trainer, enjoys passing on knowledge to others. Check out our interview with him below!

Want to learn more about what courses are offered? Visit our Training & Certification page for more information.

MF: Tell us about your life before becoming a Trainer.

CB: Before becoming a trainer at Magnet Forensics I spent nearly fifteen years working in law enforcement for South Wales Police, in the UK. My previous role was based at the Digital Forensics and Cyber Crime Unit, where I carried out digital forensic investigations in predominately child exploitation cases. I was also responsible for the IT infrastructure and estate for the department, so I was kept busy!

MF: What made you want to be a Trainer?

CB: After having worked digital forensic investigations for a number of years, and acted as a mentor to numerous investigators, I felt that I’d like to give back to the community in a different way. I always enjoyed passing knowledge on to others, and the opportunity to join Magnet, having been such a huge advocate of their tools, made it an easy decision to make!

MF: What type of training have you taken part in personally? What is your favorite part of the role?

CB: I’ve taken part in numerous training courses. I have certifications from the College of Policing, Guidance/EnCase, MSAB, CompTia, Microsoft, and of course, Magnet!

MF: What excites you the most about a new class?

CB: The most exciting part of any class is getting to meet examiners and investigators from various organisations across the world. It is fascinating to meet with individuals from all walks of life. It is interesting to learn the differences between various organisations, agencies and cultures; but what strikes me more, is the similarities between us.

MF: Do you ever learn anything from the students?

CB: I learn something from a student in every single class! Digital Forensics is such an expansive subject, and moves so quickly, that it’s simply impossible to know everything. As well as learning from the students, I think the students also learn a lot from each other. There is generally a wealth of experience and knowledge in every classroom.

MF: Is there a particular moment that stands out the most to you in your career in the classroom?

CB: I’ll never forget my first time teaching for Magnet, and walking into the National Computer Forensics Institute in Alabama. It was quite intimidating! The thing that stands out for me the most though, isn’t a specific moment as such: there are certain points where you relay a certain piece of information and instantly get feedback. I hear comments such as, “I had no idea it could do that!” during each and every class!

MF: What do students get out of training in person that they can’t get on their own?

CB: It’s the interaction. You hear the stories from the students, and the challenges they encounter, and you can really contextualise the material to suit their specific needs. I also engage in a lot of great conversations and answer a lot of questions around the lunch table and after class! The learning doesn’t begin and end in the classroom!

MF: How prepared do you feel students are to use Magnet Forensics products after taking the training course?

CB: The students will walk away from the class much more prepared than when they walked in. I had been using AXIOM Examine for many years as an investigator, and after my first Magnet course I was just staggered at how I’d been under-utilising AXIOM.

MF: What is most unique about Magnet Forensics’ approach to training?

CB: All of the training curriculum has been developed by a team with decades of examination and investigation experience between them. Every course, lesson and module is created with how it’s going to be applied to real cases, in mind. The majority of the team have spent years performing examinations and giving evidence in court, and have a real first-hand understanding of the needs, challenges and requirements of their students. All this knowledge and experience is brought into the classroom, and I’ve found the majority of students find it much easier to engage with those who’ve had to walk in their shoes, so to speak.

MF: Why do you think certification is important to examiners?

CB: Certification is really important. Not only do the students gain vital knowledge, but they gain credibility. This is so important when giving evidence.

MF: How do you manage to keep up on the latest trends in digital forensics?

CB: As well as keeping abreast of current trends through online publications, and of course through digital forensics forums such as forensicfocus; I also keep in touch with a number of law enforcement organisations to understand the challenges they’re experiencing and trends that appear to be emerging.

MF: What trends do you see coming down the pipeline in digital forensics?

CB: Over the years we’ve seen the move from predominately ‘deadbox’ examinations, to mobile devices, to the advent of IOT devices. Ultimately, I think the necessity to recover data from the Cloud is going to increase dramatically. Virtually every smartphone on the planet has data stored in cloud services, as well as SAAS (Software as a Service) become far more commonplace. I think this is an area that is currently worryingly overlooked during digital forensic investigations. This is surely going to increase with the advent of 5G.

Thank you, Chris! Welcome to the Training team and to Magnet Forensics overall—we look forward to seeing your future contributions.

Read our previous interviews with VP Training Chuck Cobb,  Director of Training Operations Jamey Tubbs, Chris Vance, Patrick Beaver, Doug Estes, Lyn Goh, Larry McClain, Hoyt Harness, Chris Cone and Jerry Hewitt.

The post Meet Magnet Forensics’ Training Team: Chris Blight appeared first on Magnet Forensics.

As the team here at Magnet Forensics has been working hard to try to bring a fantastic experience, we wanted to find a way to ensure that attendees of the Magnet Virtual Summit wouldn’t miss out on one of the most important elements, meeting with others, having great forensic conversations, meeting with the speakers, and what is affectionately called “LobbyCon” or “HallwayCon”. So we were trying to think of how to bring this element, and we realized that we already know where more than 3K DFIR professionals are chatting and talking – Digital Forensics Discord Server. We are proud to announce that the Digital Forensics Discord Server will be hosting channels throughout the Magnet Virtual Summit for attendees!

How Do I Join These Conversations?

Well, if you are already a member of the Digital Forensics Discord Server, it is simple. Each day of the Magnet Virtual Summit there will be channels set up for each of the industry talks (excludes labs, keynote, and social events which already incorporate conversational elements) under the heading Magnet Virtual Summit.

We encourage conversations about the topic and about the presentation, including live during the talk. Once the presentation concludes, the speakers will head over to the channel and continue the conversation. This provides an opportunity to ask additional questions, like the common approach to the speaker at the conclusion of a talk in real life. Feel free to network, chat, and move conversations to DMs. We hope that this will provide you the opportunity.

New to the Digital Forensics Discord Server or Discord in General?

That’s okay! Andrew Rathbun drafted a fantastic blog about getting started on the digital forensics compendium site AboutDFIR. You can register for the Digital Forensics Discord Server here.

We would like to thank Andrew and all the moderators from the Digital Forensics Discord Server for graciously being open to this attempt.

Let me know if you have questions by reaching out to me via email jessica.hyde@magnetforensics.com.

The post Magnet Virtual Summit and the Digital Forensics Discord Server appeared first on Magnet Forensics.

We have a proud tradition of bringing you Analytics functionality in Magnet AXIOM —without the need to purchase or install an extra module or add-on product. Even early versions of AXIOM, like AXIOM 1.1, directly included Analytics capabilities Magnet.AI.

When we think about Analytics in AXIOM, it’s all about the features and functionality that empower you to quickly and easily derive insight and intelligence. AXIOM does that by using technology like machine learning or CBIR (Content-Based Image Retrieval) as well as using data visualizations so you can intuitively interpret and understand the story of your digital evidence.

Let’s take a look at some of the Analytics features in AXIOM in a bit more detail.

Analyze Data From All Evidence Sources in a Single Case File

When you’re investigating a suspect, you’re most likely not just investigating that suspect’s computer, or only their mobile device, or a specific cloud account. You’re investigating that individual and all of the different digital footprints that they leave regardless of the evidence source. And you need a tool that natively supports examining evidence from all of those evidence sources in a single case file so you can quickly and easily see the entire story of the evidence.

Magnet AXIOM is the go-to forensics platform for many labs when they need to examine data from computer (Windows and Mac devices), memory, mobile, and cloud evidence sources.

• COMPUTER: Ingest and analyze data from Windows and Macs and use an artifacts-first approach to find the most Internet evidence, media, and chats.
• MOBILE: Recover data from Android and iOS devices; plus, AXIOM is the only tool integrated with GrayKey. Bonus: no more manually validating GrayKey images after downloading them, AXIOM does it automatically!
• CLOUD: Retrieve data from cloud services (e.g. Facebook, Wickr, Signal, and more), plus ingest warrant returns, public-facing data, and user generated archives like Google Takeout.
• MEMORY: Easily process memory with Volatility seamlessly integrated into AXIOM at no extra cost.

Connections: Visualize Relationships

When you’re working terabytes of data from many different sources, it can be difficult to piece together how artifacts, people, or even devices, all relate to each other. It can be even more difficult to find insights that help you move your investigation forward quickly.

AXIOM’s Analytics feature Connections helps you quickly find and visualize data across all your evidence sources and can shed light on evidence that may never have surfaced otherwise. For example, you can see how a specific picture file got on a device, how it was accessed, if it was shared and with who.

Check out our blog, Letting Connections in Magnet AXIOM Work for You, to learn more about Connections and watch a brief how-to video to see it in action for yourself.

Magnet.AI: Leverage Technology to Save Time

Machine learning has been in AXIOM (almost) from the very beginning: text-based analysis was introduced in AXIOM 1.1 to help identify luring or grooming conversations common to ICAC investigations.

With the launch of AXIOM 2.0, AXIOM identified images that may contain depictions of child sexual abuse, nudity, weapons, and drugs—and we continued to add support for more classification categories including hate symbols, identification like licenses or passports, screenshots, and more.

With soon to be released AXIOM 4.0, we’ll continue to add to Magnet.AI. AXIOM 4.0 will introduce the ability to load a query image and find similar pictures in your case file. This effectively gives you the ability to customize and create your own image classifications.

This new Analytics feature in AXIOM leverages Content-Based Image Retrieval (CBIR) technology to quickly find similar pictures in your case based on a picture that either in your case, or an external one that you’ve loaded into AXIOM as the query image.

Timeline: See Your Case Unfolding

Timeline is another Analytics feature that is so powerful and easy to use in AXIOM. Timeline creates a graphical visualization based on all of the dates and timestamps available to be parsed out in your case. This includes timestamps reported by the file system, but also because AXIOM takes the artifact first approach to processing data, any timestamps parsed from the artifacts in your case will also be included.

This is incredibly important to really be able to understand the activity the occurred on your evidence, especially considering artifacts that have numerous timestamps parsed from them, such as LNK or prefetch files, chat records, or logs.

And it’s very easy within AXIOM to see exactly where a file is located with source linking. The Details pane shows the source of the file and you can quickly jump to where that file is in the file system.

You can validate what the Timeline is showing without having to dig through the file system to find the file. We do the heavy lifting while giving you quick access to the raw data.

Another one of the things about Timeline that our customers really love is the Relative Date/Time filter. This is incredibly helpful to quickly learn what happened leading up to an incident or likewise after it. You can anchor on a certain point in time when you know an incident occurred and then apply time range filters before and after that incident.

Case Dashboard: Your Case At-A-Glance

AXIOM’s Case Dashboard gives you the high-level details of your investigation, the evidence sources, and an overview of the digital evidence so you can quickly move to the analysis phase of your investigation.

PORTABLE CASE: SHARE FINDINGS

Portable Case can be created by any AXIOM user to collaborate on a case with other stakeholders. Examiners can choose to include as much or as little digital evidence that has been acquired and recovered in a case to collaborate and review evidence with others.

If you want to dive deeper into Portable Case, you’re in luck! Check out this two-part blog series on Portable Case:

• Deep Dive on Portable Case: Part One
• Deep Dive on Portable Case: Part Two

Want to try all the Analytics features—and more—in AXIOM for yourself? Request a free trial of Magnet AXIOM to get started today!

The post Analytics in Magnet AXIOM appeared first on Magnet Forensics.

We know many of you are working from home and are looking for new ways to engage in learning while away from the lab. We’ve been so encouraged by the overwhelming response to our webinars over the last few weeks and want to ensure we make it as easy as possible for you to access these webinars and view them at a time that’s best for you. 

To that end, we’ve collected a selection of our most popular webinars from the past year, as well as Upcoming Webinars that are open for live-viewing registration on our Magnet Webinars resource page.

As a reminder, we’re hosting the Magnet Virtual Summit in May, which will include live sessions every day, kicking off May 4 with a special keynote address by our Founder and CTO Jad Saliba and VP of Product Management Geoff MacGillivray. Visit https://www.magnetvirtualsummit.com/ to learn more and register for free!

In the meantime, here is our suggested Top 10 list of webinars to watch while working from home:

Techniques that are Essential for Mac Investigations

Thanks to the regular changes Apple brings to macOS, Mac investigations can be particularly challenging. Learn about the Apple File System (APFS) and the changes made as part of the update from HFS+, while discussing the best techniques for successfully completing macOS investigations in Magnet AXIOM.

Getting a More Complete Picture Using Cloud Evidence

Data from cloud-based services from a suspect, victim, or even a witness can be invaluable in helping round out evidence for your investigations, but there can often be challenges with using this evidence once you have it. Learn how you can use Magnet AXIOM to leverage warrant returns, publicly available information from services such as Twitter and user-requested archives (e.g. Google Takeout) so you can get a more complete picture of a person of interest’s online persona and activity.

Eliminate Downtime by Over 90% with Magnet AUTOMATE 2.0

This webinar provides an in-depth look at Magnet AUTOMATE 2.0, the most powerful orchestration solution in the industry, and demonstrates how its capabilities can help maximize workflow efficiency and eliminate downtime.

The Need for Speed with Magnet OUTRIDER

This webinar focuses on the development and deployment of Magnet OUTRIDER, an extremely quick triage tool designed to help Law Enforcement prioritize evidence to analyze first in their investigations, both on scene and back in the lab, with the use of automation tools on the seized exhibits.

Responding to Ransomware Attacks with Gillware and Magnet Forensics

The methods that attackers are using to access networks and systems are constantly evolving, and Ransomware has become the most prominent attack used by both individuals with limited budget right up to nation-state actors with far more resources available to them. As bad actors use the latest tools and technology to extort organizations, it’s equally important for examiners to use the latest tools and techniques to prevent malicious attacks.

Nathan Little, VP of Incident Response and Forensics at Gillware and Jamie McQuaid, Forensics Consultant from Magnet Forensics walk through a case study where legitimate security tools are used the deliver ransomware by an attacker to an unsuspecting user and how to best respond to these attacks.

Forensics Simplified: Corporate Investigations with Magnet AXIOM Cyber

Every corporate investigation provides its own challenges, whether investigators are examining cases dealing with workplace harassment, fraud, insider threat, or malware and ransomware attacks. Regardless of the case being worked, it’s vital that evidence can quickly be acquired, analyzed, and reported on. See how Magnet AXIOM Cyber can expediate corporate investigations while examining computer, mobile, and cloud evidence sources.

Addressing the Challenges of ICAC Investigations

Internet Crimes Against Children (ICAC) investigations can take a heavy toll on law enforcement agencies — examiners, in particular. We talk about some of the challenges presented by ICAC investigations and share how Magnet Forensics is working to help labs work through ICAC cases faster and recover defensible evidence while providing ways that promote officer wellness by minimizing over-exposure to IIOC.

Android Application Artifacts

Millions of available Android applications make it impossible for commercial tools to be able to parse and support them all, so it’s critical to understand how applications are stored on these devices and where to find that important data that could be vital to your case. Learn the basics of Android applications and see how enhanced features found in Magnet AXIOM, such as the Dynamic App Finder, our built-in SQLite Viewer, and Magnet App Simulator can help you review, interact, and report on the application data in your case quickly and efficiently.

Supporting the Unsupported: Carving, Parsing, and Creating Custom Artifacts

Many new mobile applications include features that can contain crucial evidence, though often commercial forensic tools struggle to keep pace with the volume of these new apps or their usage. Learn how to acquire and parse evidence from a wide range of smartphones and review methods to discover and parse data from unsupported applications, including the chat, contact, location, and historical data that can be found using AXIOM’s Dynamic App Finder.

Dig Deeper: Cloud Investigations with AXIOM Cyber

As cloud services become the new normal for nearly all businesses, it’s critical that your forensics tools support the ever evolving landscape. Learn about how Magnet AXIOM Cyber can help accelerate your internal investigations across Office 365, Slack and more.

Be sure to check out our Magnet Webinars resource page to find our most popular webinars as well as upcoming live webinars that are open for registration.

The post Top 10 Magnet Webinars to Watch While Working from Home appeared first on Magnet Forensics.

We’re excited to announce the launch of Magnet Idea Lab – an exclusive community of beta users who’ll get the opportunity to provide feedback on the next generation of Magnet Forensics’ technology.

It’s the Magnet Way to listen and provide you with the tools and solutions you need to solve cases better and faster. We love hearing your feedback, and that’s why we’re thrilled to be able to get new feature ideas, products and solutions into the hands of those who’re eager to test them sooner than ever before.

As a member of the Magnet Idea Lab community, you’ll get the chance to engage directly with our team to provide feedback that will influence our upcoming feature releases as well as entirely new products and solutions.

If you’re interested in testing innovations that will shape the future of digital forensics, apply now at www.magnetidealab.com!

 How to Apply and Start Testing

• Visit www.magnetidealab.com and click “Apply Now” to fill out the application form
• Once your application is approved, you’ll receive an email inviting you to login and explore our open beta projects
• Each beta project will have its own technical specifications, timeframe and feedback methods so that you can apply for the beta projects that suit you best

A Sneak Peek of What’s in Store

In celebration of the launch, we wanted to give you a sneak peek of an exciting beta project the community will be testing. But moving forward, all our Magnet Idea Lab beta projects will be kept strictly under wraps!

• Magnet OUTRIDER Mobile: Idea Lab members from Law Enforcement will have the opportunity to be the first to get their hands on a beta version of Magnet OUTRIDER Mobile. OUTRIDER Mobile is a tool that assists in checking a mobile device for contraband to get a very quick assessment of what you’re dealing with on-scene.

Ready to apply? Head over to www.magnetidealab.com to apply now.

The post Introducing the Magnet Idea Lab! appeared first on Magnet Forensics.

Hi!  It’s Jessica Hyde with Magnet Forensics. We are so stoked for all the exciting elements we have in store for the Magnet Virtual Summit 2020 (#MVS2020).  I wanted to take a moment to share some of the games with you and how you can play!  All games are eligible for prizes! Also hope you enjoy the game inspired graphics from our own Forensic Consultant, Trey Amick:

Magnet Virtual Scavenger Hunt – #MVS2020Hunt

Did you know you can earn points and win prizes just by attending talks and answering some fun questions? You can!

This Scavenger Hunt contains questions from the sessions that are part of the Magnet Virtual Summit. Answer questions pertaining to different talks, lectures, and events to earn points. Prizes will be awarded at the end of the Magnet Virtual Summit. Thanks to Heather Smith for the inspiration. Here is how to play:

1. Register here: https://MVS2020Hunt.ctfd.io using the email address you used to register for #MVS2020
2. After each talk, lecture, or event – answer a question from that session

DFIRFit Costume Challenge – #MVSDFIRFit2020

Join us for this #DFIRFit event to raise money for charity. On May 12, we ask that members of our community do some physical activity for 30 minutes and share a picture of it on Twitter with the #MVSDFIRFit2020. Costumes encouraged!

• Do some type of physical activity (run/walk/jog/weightlift/bike/yoga/dinosaur wrangling/curling/etc.) for at least 30 min on May 12, as we all virtually get #DFIRFit together apart. 
• Post a picture/video of that activity on Twitter with the #MVSDFIRFit2020 (preferably in costume/#DFIRFit apparel/#MVSDFIRFit2020 gear)
• (Optional) Fill out the form on mvsdfirfit2020.com and donate to one of the three designated charities:
  • Play Like A Girl
  • Middle Tennessee Emergency Response Fund
  • Gates Foundation Combating COVID 19
• Magnet Forensics will have a special prize for the most creative picture/video of a #DFIRFit activity with the #MVSDFIRFit2020 hashtag on May 12. We will announce the winner live on the Forensic Lunch on May 15.

Magnet Virtual Summit Capture the Flag – #MVSCTF2020

For the third year in a row, we are excited to bring the Magnet User Summit Capture the Flag event. This year it has gone virtual and worldwide. We are excited to be working with the Digital Forensics Association at Champlain College to bring you this year’s challenge.

1. Register for the Magnet Virtual Summit and sign up for the CTF.
2. Sign up for the scoreboard at https://mvs2020.ctfd.io with the same email address that you used to register for the summit. Check out the rules on that site. Winners MUST be registered for the Magnet Virtual Summit.
3. Anyone registered for the CTF via the MVS website by May 3, 2020 will receive a download link for the images to be used for the case on May 4. If you register between May 4 and May 10, you will receive a download link for the images on May 11. The early bird gets the images!  You will want the time to download and process ahead of the LIVE CTF event.
4. The CTF will take place May 12, 2020 from 5:45PM(ET)/9:45PM(UTC) to 8:45PM(ET)/12:45AM[13 May](UTC)
5. The first-place winner will be a guest on the Forensics Lunch live from the Magnet Virtual Summit on Friday May 15.

We are looking forward to having fun with you all as part of the Magnet Virtual Summit starting May the 4^th. Be sure to join our Founder & CTO, Jad Saliba; VP, Product Management, Geoff MacGillivray; and I for a fun-filled social hour on May 4 to learn more about the fun stuff we have in store throughout #MVS2020!  If you have comments or questions, be sure to reach out to me at jessica.hyde@magnetforensics.com.

The post Magnet Virtual Summit 2020 – Want to Play a Game? appeared first on Magnet Forensics.

If you have Mac endpoints in your environment and need to collect evidence over a network connection, AXIOM Cyber 4.0 is here to help! We officially launched AXIOM Cyber in January with Windows remote acquisition capabilities, AWS S3/EC2 support, Microsoft Teams, Slack, and a whole host of other cloud capabilities, and while customers are loving the Magnet approach to remote acquisitions, we’ve heard the need for reliable macOS support.  

In this blog we’ll talk about our macOS remote acquisition capabilities and how we are working around some of the roadblocks that customers have faced when investigating Macs around T2 encryption and System Integrity Protection (SIP).  

To learn more about other features we’ve recently added to AXIOM Cyber, check out this blog! 

If you’re not already using AXIOM Cyber and would like to try it for yourself, request a trial today. 

Mac Acquisition  

For years, when investigators have been tasked with examining Mac’s in corporate environments options have been limited in terms of the best way to query and acquire files from the endpoint under investigation, especially in a covert manner. With the release of AXIOM Cyber 4.0, examiners can now select during the agent creation process whether they want to deploy to a Windows or Mac endpoint.

The AXIOM Cyber agent is built on .NET Core which means a bunch of the .NET dependencies are packaged with it as part of the agent creation process. While discussing the agent creation process, we’ve had customers ask if they can whitelist our agent for use in their environment, and while you can do this, it can’t be whitelisted based of hash value due to each agent created is built specific based on the parameters entered during the build process.

Unlike our Windows remote acquisition capabilities where users can select both logical files or the physical disk for acquisition, our macOS agent allows for only logical file collection. AXIOM Cyber leverages operating-system calls (vs bytes from a mounted volume) for the acquisition.  While it’s understandable that examiners may need a physical image of corporate endpoints, collecting logical files over the network allows AXIOM to forgo imaging limitations faced when encountering Apple hardware that has T2 chips (Devices from late 2017 on). More information the hardware based encryption provided by T2 chips can be found here. Another hurdle that is avoided with collecting logical files versus traditional physical imaging is System Integrity Protection (SIP). SIP has been around for a little while now having been released in OS X 10.11 (El Capitan), which initially protected:

• /System
• /usr
• /bin
• /sbin
• /var
• Apps that were pre-installed with OS X

SIP only allowed modification of the protected locations by processes signed by Apple. Learn more about System Integrity Protection here. SIP also prevents access to the disk from a physical layer for imaging, so unlike in the past where we could image the Mac while it was on and logged into, that isn’t the case anymore, without SIP being disabled.

With the recent release of macOS Catalina (10.15) Apple upgraded SIP by instead of protecting specific locations on the same volume, it’s now created a second system volume which is completely read-only. Machines using the standard naming convention will have both Macintosh HD and Macintosh HD – Data. Macintosh HD will contain only the operating system files, so examiners looking for user profile data will typically be interested in the “Macintosh HD – Data” volume. It’s important to note that even though there is a new “-Data” volume, end users will not notice a change on their end. Read more about the changes made during the 10.15 upgrade here!

Forensic Nugget: If you run across a “Relocated Items” folder during an exam and have found a random assortment of files within, this folder is a result of the Catalina upgrade, where Apple migrated any user files that were previously stored in the startup volume, so users would still have access to their data once Macintosh HD became read-only. The Relocated Items folder is placed (Users/Shared/Relocated Items) with a shortcut also being added to the Desktop.

Similarly to what users find when they collect from Windows endpoints, we’ve also added the ability to quickly acquire from pre-packaged targeted locations, removing the need to dig through the file system to find data that is needed routinely in your investigations. This could range from browser history to quarantine files, iOS backups, iCloud data, or the unified log.

Deployment

Once the Mac agent is created in AXIOM Cyber, it’s time for deployment. In order for our agent to deploy we require Remote Login enabled. Remote Login can be found by navigating to:

If an examiner is using a root user (different from admin user with sudo), they will need to enable SSH for root, but this isn’t recommended or feasible in most corporate environments. When Remote Login is activated in settings as discussed above, SSH will be enabled.

AXIOM Cyber’s macOS remote acquisition deployment will attempt to run the agent with sudo if the supplied user credentials have permissions based on the sudoers file. If the user credentials have sudo permissions enabled AXIOM will display the user as root.

Based on the permissions of the user, Cyber may be limited to what files can be acquired. For example, if a user doesn’t have sudo access, .FSeventsd and .Spotlight-V110 wouldn’t be accessible due to macOS by default only has read/write on those system files with no permissions set for any other users, which means Cyber can’t acquire with an admin account, but can with sudo. Unfortunately, there are still a few files still inaccessible for acquisition even with sudo privileges due to even more restrictive permissions. One example of this would be the Lockdown folder (on 10.15.5) which contains pairing certificates to iOS devices.

What’s Next for AXIOM Cyber

Here at Magnet Forensics, we utilize an iterative and incremental development cycle for our products, and with that comes discussions about the future capabilities we’d like to support. With that, we felt it was important to get Mac remote acquisition into the hands of our customers as soon as possible while we continue development of acquiring and processing mac volatile memory / open processes. Our engineering team is also hard at work integrating alternative output formats for data acquired from remote endpoints, customers will soon have the option of either .zip or AFF4-L as an output format. Lastly, examiners will soon be able to create and save custom targeted locations for data they routinely need to collect versus having to manually select it from each endpoint for every investigation. If there are other artifacts you’d like see supported, please don’t hesitate to reach out, we’d love to hear from you!      

Want to learn more? Head over to the Magnet AXIOM Cyber page for more information and request a free trial today!

As always if you have any questions, comments, or product features don’t hesitate to reach out to me at trey.amick@magnetforensics.com

The post Remotely (& Covertly) Acquire Mac with Magnet AXIOM Cyber 4.0 appeared first on Magnet Forensics.

Our engineers have been hard at work and as a part of the latest AXIOM release, we’ve added additional capabilities around Magnet.AI. Content-based image retrieval (CBIR) is a fantastic resource for investigators needing to find similar images, especially when working with multiple pieces of digital evidence that could contain hundreds of thousands of images.  

Magnet.AI finds similar pictures based on a picture’s general attributes, rather than specific details such as small objects or faces. Use Magnet.AI to help you find other pictures that are similar, such as pictures of the same room or pictures with similar scenery. 

To learn more about other features we’ve recently added to AXIOM, check out this blog! If you’re not already using AXIOM and want try AXIOM 4.0 for yourself, request a trial today. 

The Science Behind AXIOM’s Find Similar Pictures Artifact 

As digital evidence and requests for analysis continue rise for examiners, resources found in your forensic tools can make the difference between actionable data being discovered quickly for investigators to operate off of, and ultimately being too late. Investigations requiring massive amounts of media review, as we all know can take precious time, however with content-based image retrieval we can expediate results for examiners that otherwise may have taken many hours to manually find. 

During the picture comparison stage, Magnet.AI processes each image through a deep learning model to extract non-readable characteristics from the media. Each image is analyzed, compiling thousands of feature measurement vectors for use in identifying similar pictures. When a reference image (whether from inside the case or imported from outside the case file) is queried for use in identifying similar images Magnet.AI calculates a score between the vectors created during the initial picture comparison stage. The closer the scores are to one another, the more likely the pictures are going to be similar. 

Now that we’ve got an idea on what’s going on behind the scenes when an examiner runs the Find Similar Pictures feature in AXIOM, let’s walk through use of the tool.  

Using the Find Similar Pictures Feature in AXIOM 

To use the Find Similar Pictures, the examiner must first open Examine, and build picture comparisons by choosing Tools > Build picture comparison after opening a case. Unlike building a timeline or connections with AXIOM, this process may take longer depending on your system specs. Examiners wishing for picturing comparison, connections, and timeline to be run automatically after processing can navigate to Tools -> Settings to check the post-processing options they wish to have run.  

Once the process has completed, you can select a reference picture to find similar pictures.  

1. In AXIOM Examine, from the Artifact or File system explorers in Row, Column, Classic, or Thumbnail view, right click on a picture 

2. Click Find Similar pictures and choose Select picture 

3. AXIOM Examine will then display matching results in the Thumbnail view in the Artifacts explorer, and will sort the pictures automatically so that the most similar pictures appear at the top. 

Considerations for Using Find Similar Pictures  

• To find similar pictures, Magnet.AI must create a large database, so for optimal performance we recommend following the following these recommendations: 
• Make sure you have enough space to store the data. Each picture needs approximately 8 KB of space to store the data that Magnet.AI produces. 
• Store your case files on an SSD rather than a fixed or external drive. Magnet.AI will function on a fixed or external drive, but it will not perform as well. 
• Use a computer with a GPU. When you build picture comparison using Magnet.AI, if Magnet AXIOM detects a GPU on your computer with more than 126 MB of free memory, it automatically attempts to use it. Using a GPU instead of a CPU can significantly decrease the time it takes to build picture comparison. 
• Magnet.AI will search all uncorrupted picture files in your case. However, if the case contains more than 10 000 pictures, only the top 10 000 most similar to the reference photo will be displayed in the search results. 

We hope Similar Pictures powered by Magnet.AI will help maximize examiners time when combing through media intense investigations, revealing pictures with similar characteristics. As always if you have any questions or comments don’t hesitate to reach out to me at trey.amick@magnetforensics.com 

The post Find Similar Pictures in Magnet AXIOM 4.0 appeared first on Magnet Forensics.

You asked and we heard you load and clear! In addition to all the new and exciting features in the latest release of Magnet AXIOM 4.0, we’ve significantly improved searching and filtering speeds in AXIOM Examine. With prior versions of AXIOM, we heard from customers time and again that running these filters was cripplingly slow and a point of frustration for many users. In AXIOM 4.0, we switched to using Apache Lucene^TM for these searches, making for a smoother user experience and saving you time in your casework!

Lucene

Lucene is a high-performance, full-featured text search engine library. You’ll notice when you open a case in AXIOM Examine, the text found within that case must be indexed in order to utilize this functionality. You will notice at the bottom of your AXIOM Examine window that the Search Index will begin to build automatically. You will have to option to cancel, but we recommend you don’t! It does not take very much time to build this index, and you can still navigate through AXIOM and work your case while it is indexing.

Once the index is built, you will be able to use the Global Search filter within your case considerably faster! In our tests, we noticed speed improvements that were as much as 5 times faster than in previous versions of AXIOM! See the chart below for the results of our testing.

Get Magnet AXIOM 4.0 Today! 

If you’re already using AXIOM, download AXIOM 4.0 over at the Customer Portal. If you want to see how AXIOM 4.0 can help you find the evidence that matters, request a free trial today! 

The post Up to 5X Faster Search Filtering in Magnet AXIOM 4.0 appeared first on Magnet Forensics.

Magnet AXIOM 4.0 brings to you a ton of new and advanced features to assist you in your investigations! From faster filtering with Lucene, Find Similar Pictures using CBIR, more details in your AXIOM Process scan summary, to new AXIOM Cyber features like Azure VM and remote macOS acquisition, this new release is jam packed with TONS of exciting newness!

Even one MORE feature to add to this list is a totally revamped way to customize and streamline your reports and exports from AXIOM Examine! In AXIOM 4.0, we’ve totally overhauled the export functionality of our artifacts, allowing you the flexibility to choose exactly which artifacts and columns to report on, as well as giving you the ability to create templates to allow for faster exporting on each case you work.

Using the New Reporting Features

You can access the new reporting features just like before! Either right click in your artifacts view, or go to the File menu at the top of the AXIOM Examine window and select Create Report/Export. You’ll notice a completely different look in AXIOM 4.0.

Depending on the type of export you choose, you will have different options available to you. In the first section under “Items to Include,” AXIOM users will be familiar with some of these options like Including items in your view, including only tagged items, or including case dashboard cards like case/evidence overview, keyword matches, and media categorization summary. What’s new in version 4.0 giving user the ability and flexibility to create templates for specific artifact types, columns and format options. This customization is a useful shortcut for examiners who use the same reporting options from case to case. You can pick your predefined template in the dropdown menu and select Quick Export at the bottom of the windows for an easy way to export your data from AXIOM.

Also new in AXIOM 4.0 is even MORE capability to customize your reports by selecting column information from your artifacts you want to include. You can choose which specific columns you want to include in your report for each artifact, and you can even reposition the columns, and create a template for these configurations as well! Then in later cases you can reuse this template so you will only need to configure it once!

You can easily manage these templates through AXIOM interface too! You can edit, duplicate, or delete them, and you can even import or export them from other instances of AXIOM, allowing for easy sharing and collaboration with others in your lab!

Get Magnet AXIOM 4.0 Today! 

If you’re already using AXIOM, download AXIOM 4.0 over at the Customer Portal. If you want to see how AXIOM 4.0 can help you find the evidence that matters (and show you when it doesn’t), request a free trial today! 

The post New Exporting and Reporting Features in Magnet AXIOM 4.0 appeared first on Magnet Forensics.

One of the key themes that we’ve heard from our customers leading up to the release of AXIOM 4.0 is that they’re using AXIOM as their primary tool in their forensic toolkit. Not only for desktop investigations but for mobile and cloud investigations as well. Greater demands are being placed on AXIOM and our customers have, more and more, come to rely on it. The result of those greater demands? We’ve introduced new detailed Scan Summaries including Exception Reporting. 

You need to have a high degree of confidence in AXIOM and know exactly what it is doing when it scans an image. Detailed information like type of scan (e.g. full, sector level, partitioned space), scan start and end times, duration, and scan settings are all necessary for reproducibility and forensic integrity. 

Detailed Scan Summaries

Remember that high school math teacher who always told you to show your work? It wasn’t just enough to have the right answer, you needed to show how you got to that final answer. This is essentially what we’re doing with AXIOM: we’re showing you the work of how we got to the final answer. 

The information now included in AXIOM’s detailed Scan Summaries helps you if you ever need to reproduce a scan or provide a report to defense/prosecution. 

This screenshot is an example of a successful scan done during our internal testing and gives you a peek at the kind of information you’ll find from Scan Summaries in AXIOM 4.0.

Exception Reporting

The sheer amount of data in cases today is growing; and so is the diversity of data. Google Play, for example, releases an average of 6,140 new Android apps daily! It’s impossible to keep up with that kind volume and simply inevitable that errors or exceptions will happen occasionally during your scans. 

When those errors happen, you need to know what AXIOM may have missed so you can document it and continue your investigation with confidence. 

The screenshot below is an example of an unsuccessful scan. Not only can you see high-level details about what was successfully scanned and what was not, you can also see detailed information about the exceptions that occurred during the scan. AXIOM shows you a description of the file, the type of artifact it is and the reason for the exception. 

Get Magnet AXIOM 4.0 Today! 

If you’re already using AXIOM, download AXIOM 4.0 over at the Customer Portal. If you want to see how AXIOM 4.0 can help you find the evidence that matters (and show you when it doesn’t), request a free trial today! 

The post Rely on AXIOM: New Detailed Scan Summaries with Exception Reporting appeared first on Magnet Forensics.