We’re proud to announce the availability of Magnet AXIOM 4.0!

Magnet AXIOM 4.0 and an updated Magnet AXIOM Cyber are now available to download within AXIOM or over at the Customer Portal. With this next step in AXIOM’s evolution, we’ve brought huge enhancements to the speed, flexibility, and reliability of AXIOM. And with AXIOM Cyber, we’re excited to introduce remote collection of Macs and Azure virtual machine image acquisitions.

If you haven’t tried AXIOM or AXIOM Cyber yet, request a free trial here.

Up to 5X Faster Filtering

We’ve dramatically reduced the amount of time it takes to filter data compared to previous versions of AXIOM. Now, searching and filtering can happen up to 5x faster, depending on the size of the case and the data set returned from your search—reducing your downtime and helping you get your cases completed even faster.

See for yourself how AXIOM is reducing filtering time in this blog from Tarah Melton.

Find Similar Pictures

Using integrated CBIR (content-based image retrieval), AXIOM can automatically locate pictures containing similar features. Examples include pictures with similar subject matter or pictures that were taken in the same location as a part of a series. From there, pictures are displayed in ranked order based on similarity to the query picture in the thumbnail view.

Once the ‘Build Picture Comparison’ process is completed, you can right click on any image in your case and select ‘Find Similar Pictures’ to see the results.  The ‘Build Picture Comparison’ task can be run manually, or automatically when the case processing has been completed.

You’ll also be able to load external pictures that aren’t in your case to find similar pictures within the case file by selecting ‘Import picture to find similar pictures’ from the Tools menu. The imported image is only used as a reference and is not included in the case file.

See it in action in this blog and how-to video from Trey Amick.

Reimagined Exports

Reporting is easier than ever with customized Exports. Now, you can choose to include only data relevant to your case such as specific artifact types and columns.

And with the new addition of Export Templates for similar case types, efficiency and consistency of exports is improved—with standard formats agency-wide helping to streamline processes. It’s easier than ever to export and import these templates and share them with your colleagues.

Learn more in this blog and video from Tarah Melton.

Stronger Reliability with Scan Summary and Exception Reporting

Thanks to a new detailed Scan Summary and Exception Reporting, you can improve the defensibility and reproducibility of examinations by knowing what data was scanned and what may have been missed.

Now, if you have multiple evidence sources scanned and one fails, you can use the new details pane to understand what needs to be re-scanned and what likely caused that outcome.

Find out more about Scan Summaries and Exception Reporting in this blog post from our Product Marketing Manager, Sal Aziz.

New in Magnet AXIOM Cyber: Remote Collection From Macs

With Magnet AXIOM Cyber, you can remotely browse and reliably acquire files from Macs without having physical access. That includes remote collections from Macs with T2 security chip encryption or System Integrity Protection enabled.

AXIOM Cyber makes it even easier to use one tool to remotely collect data from Macs and Windows devices and then analyze it alongside data from computer, cloud, and mobile evidence sources in a single case file.

See how you can use AXIOM Cyber to perform remote collection from Macs in this blog and how-to video from Trey Amick.

Azure Virtual Machine Acquisitions Now in AXIOM Cyber

Use AXIOM Cyber to acquire virtual machine images hosted in Microsoft Azure as a part of your investigation. AXIOM will then automatically begin processing the VM image once it has been acquired to simplify the workflow.

The acquired image is a .VHD which represents the virtual hard drive of the virtual machine running in Azure.

This feature requires advanced configuration of the Azure environment to provision an account that has permission to image VMs. 

New Artifacts

• Albums — Photos (macOS)
• Houseparty (iOS, Android)
• iCloud Local Files (macOS)
• ID for Advertisers (iOS)
• KnowledgeC – App Usage (macOS)
• KnowledgeC – App WebUsage (macOS)
• LogMeIn Activity (Windows)
• Private Photo Vault (iOS)
• Safari Preferences (macOS)
• TeamViewer File Transfers (Windows)
• TeamViewer Sessions (Windows)
• Wickr (Android)
• Z shell (macOS)

Updated Artifacts

• Albums (iOS)
• Android 10 System Artifacts (Android)
• Apple Notes – Voice (macOS and iOS)
• Cached Locations (iOS)
• Chrome Logins
• Chrome/Webkit Browsers (Android)
• Live Photos (macOS)
• Mail (iOS)
• Messenger (iOS)
• OS Information (macOS)
• Outlook (macOS and Android)
• Safari (iOS, macOS)
• TextFree (iOS)
• Threema (iOS)
• Twitter (iOS)
• Videos (macOS and Windows)
• VK (iOS)
• Wickr (iOS)
• Zalo (iOS)
• Zoom (Android, iOS)

Get Magnet AXIOM 4.0 Today!

If you’re already using AXIOM or AXIOM Cyber, download AXIOM 4.0 over at the Customer Portal. If you want to see how AXIOM 4.0 can help you find the evidence that matters, or how AXIOM Cyber can help you simplify remote acquisitions, request a free trial today!

The post Faster. Flexible. Trusted. Magnet AXIOM 4.0 is the Strongest Version of AXIOM Yet appeared first on Magnet Forensics.

Thank you to everyone who joined us on Monday as we kicked off the Magnet Virtual Summit with a great keynote from our Founder & CTO, Jad Saliba, and our VP of Product Management, Geoff MacGillivray. We were excited to get to showcase the freshly released Magnet AXIOM 4.0, while enjoying a bit of Star Wars day:

We also had a great time with our first Magnet Social Hour! It was fantastic getting a chance to catch up with customers we haven’t been able to see in person — and play a round or two of some challenging trivia.

Our next Magnet Social Hour will be taking place on Thursday, May 7 at 12:30PM ET/6:30PM CET and this time we’ll be showing off some of the challenge coins we have in our collections. Be sure to join and have yours ready to share (and/or share it on Twitter using the #MagnetSocialHour hashtag)! Click here to modify your agenda and add this session today

MVS2020 LOADED WITH GREAT PRESENTATIONS

In our first day of labs and lectures we had some great presentations. Our Director of Forensics, Jessica Hyde, started off with a great lab about “Taking a Byte Out of Chromebook Analysis” while guest speakers Alexis Brignoni and Geraldine Blay shared a very well-received presentation, “Pattern of Life Analysis — Timelining User Generated Activity”.

We have a lot of other fascinating presentations coming up this week — make sure to register over at www.magnetvirtualsummit.com to take part:

May 6
LAB: REVERSE ENGINEERING ANDROID FOR EXAMINERS, AN INTRODUCTION
Chris Atha, NW3C; Mike Williamson, Magnet Forensics
11:00AM – 12:30PM EDT

LECTURE: COLLABORATION TO COMBAT ONLINE CHILD EXPLOITATION
Arnold Guerin, RCMP National Child Exploitation Coordination Centre
1:00PM – 2:00PM EDT

MAY 7
LAB: TAKING THE FIRST STEPS INTO WINDOWS MEMORY FORENSICS
Tarah Melton; Lynita Hinsch, Magnet Forensics
11:00AM – 12:30PM EDT

LECTURE: THE EVOLUTION OF RANSOMWARE – ATTACK, INVESTIGATION, RESPONSE & PREVENTION STRATEGIES
Cindy Murphy, Tetra Defense
1:00PM – 2:00PM EDT

MAY 8
LECTURE: PRACTITIONER RESEARCH NEEDS AND ACADEMIC SUPPORT THROUGH GRADUATE PROGRAMS
Joe Walsh, DeSales University
11:00AM – 12:00PM EDT

Continue the conversation after the sessions and join us on the Digital Forensics Discord Server. We’ll be there both during and following this session! Sign up here: https://discordapp.com/invite/JUqe9Ek.

We’re looking forward to seeing you at Magnet Virtual Summit 2020! If you have any questions, please email us at magnetvirtualsummit@magnetforensics.com.

The post An Exciting Kick Off to the Magnet Virtual Summit! appeared first on Magnet Forensics.

It’s only a short time away until nominations close (May 15—get your nominations in here! – Ed) , but better late than never, right?

Here’s a look at my 2020 Forensic 4:cast award nominations!

DFIR Show of the Year

I have to nominate This Week in 4n6 originally created by Phill Moore and, since 2019, co-contributor Lodrina Cherne. I have always been struck how consistently This Week in 4n6 has been since inception. Having my own blog now, I can really see how tough it is to stay so on schedule with releasing new content! I’ve been repeatedly impressed with how the show picks up some of the obscure stories in our industry. I feel like Phill and Lodrina must be everywhere at once!

DFIR Mentor of the Year

This one is tough because I think the DFIR community is blessed to have an abundance of amazing mentors within it. Because of that, I had to go with my gut and pick someone that not only mentors others in our community regularly, but also who was a mentor to me as well. Once I factored that in, my nomination for DFIR Mentor of the Year was clear: Alexis Brignoni. Alexis is known for his dedication to the community, his uncanny  ability to fit more than 24 hours of work into the day, and for his all-round awesomeness.

DFIR Resource of the Year

For this category I would like to nominate the #DFIR Discord channel, created by Andrew Rathbun and his team of excellent moderators. The channel has grown so much over the last few years and 2019 was no exception. I have connected with any number of people in the industry that I wouldn’t otherwise have been able to. This is just an exceptional resource. The networking opportunities alone has had a measurable impact on my professional career. Thanks Andrew and the rest of the team!

Digital Forensic Investigator of the Year

I think this category can be a tricky one because in DFIR jobs, we aren’t generally able to share everything (or anything) that we’ve worked on. That could mean I won’t have enough knowledge to be able to make a nomination in this category for next year. For 2019 though, the choice is totally clear: Shafik Punja is one of the most thorough, knowledgeable, dedicated examiners I have had the pleasure to know and work with. I had the opportunity to collaborate with Shafik in the form of a guest blog on Photos.sqlite on my personal blog in May of last year. Shafik’s passion for forensics, dedication to the field, and meticulous nature are unmatched in our industry and for those reasons, I’d like to put him forward for Digital Forensic Investigator of the Year.

Catch Up on Other Nominations From Our Examiners

If you need some ideas for nominations in other categories, check out our nomination series from our Examiners, including Jessica Hyde, Trey Amick, Jamie McQuaid, and Tarah Melton.

And remember to get your nominations in by May 15!

The post Mike Williamson’s Forensic 4:cast Award Nominations appeared first on Magnet Forensics.

Hi, everyone. This is Jessica Hyde with Magnet Forensics. I wanted to reach out and share a bit about our newest free tool, MAGNET Custom Artifact Generator, including why I am so excited about how it allows examiners to bring new artifacts into Magnet AXIOM.

You may have seen a description of MAGET Custom Artifact Generator with some other updates of free tools that were released this week. But I wanted to show some examples of the multiple ways the tool could be used, because I personally think this is incredible for bringing all types of content into analysis inside of AXIOM.

So what is MAGNET Custom Artifact Generator? Well it is a tool that allows you to create Custom Artifacts from either SQLite or CSV/Delimited Text output from another tool. This means you will be able to bring the results from that tool into AXIOM for analysis. Now you can bring in files from a variety of sources to analyze your data alongside other results in AXIOM!

Some examples of different types of data you could bring in could include Call Data Records (CDRs), results from third-party tools like iLEAPP from Alexis Brignoni and Yogesh Khatri, Volatility plugin exports, KAPE exports, unsupported warrant returns, and more. And the neat thing is once you have created the custom artifact, exports from future exports of those tools or services can just be added to AXIOM so the results show.

Creating a Custom Artifact with the MAGNET Custom Artifact Generator takes a few seconds per artifact. Here is an example of creating a Custom Artifact for the Account Data artifact from iLEAPP. iLEAPP creates .tsv exports which work with the CSV/Delimited Text feature. Once you open the file, you simply look at the record preview for any Time Stamp and use the keys to enter the Date/Time Format using the formatting symbols in the chart below.

MAGNET Custom Artifact Generator opening an AccoundData.tsv export from iLEAPP.

Once you have created an MAGNET Custom Artifact Generator result, not only will they be added to your instance of AXIOM so that you can use them to include that artifact, but they can be exported and shared! You can share them within your organization, especially if the export is for a custom in house tool. If, however, your new custom artifact is for an open source or common tool, you can also share your new artifact with the community via the Artifact Exchange. Then anyone will be able to use the artifacts you created! Alexis Brignoni submitted some of these iLEAPP artifacts created with MAGNET Custom Artifact Generator to the Artifact Exchange so you can download these and run them in your case.

You only need to run MAGNET Custom Artifact Generator once to create the support for the artifact. Once you have done that, the custom artifact is ready for use in AXIOM and the export can be processed. Now you are ready to view your evidence or artifacts from an external tool or from another source like your CDR alongside your other evidence in AXIOM.

Because you can bring in third-party tools, this also is awesome for our Magnet AUTOMATE customers. This means that third-party tool results ran in the AUTOMATE orchestration can have their results brought back into AXIOM for analysis in one place. This allows for being able to conduct searches and timelining across both your AXIOM results and whatever additional sources you have brought in from MAGNET Custom Artifact Generator. 

I hope you are excited about the rapid extensibility that MAGNET Custom Artifact Generator allows you to bring to your AXIOM analysis.

Do you have other use cases for the MAGNET Custom Artifact Generator? I would love to hear about them or your other questions. Feel free to email me at jessica.hyde@magnetforensics.com.

The post How To Use the Magnet Custom Artifact Generator appeared first on Magnet Forensics.

We’re proud to offer a brand-new free tool to your toolkit, the MAGNET Custom Artifact Generator! We’ve also made big updates to two of your existing favorites: the MAGNET Web Page Saver and MAGNET Encrypted Disk Detector. Better yet, they’re all free!

You can download all of our  Free Tools over at the Free Tools page of our website.

Over the years, we’ve always tried to find ways to provide helpful tools to the community wherever we can — whether it’s the MAGNET App Simulator, MAGNET RAM Capture, or our consistently popular Magnet ACQUIRE too. We’re happy to keep that tradition going with these newly released Free Tools — read all about them below.

New: MAGNET Custom Artifact Generator

Download MAGNET Custom Artifact Generator here.

The new MAGNET Custom Artifact Generator (MCAG) tool makes it easy to create custom artifacts for use within Magnet AXIOM from CSV (and other delimited files) and SQLite databases. This means you can now build your own custom artifacts to bring data into AXIOM from other sources without needing to know XML/Python or Magnet’s API for custom artifacts.

We know that examiners are always looking for ways to bring more data from multiple sources into AXIOM, many times in unsupported formats. Custom artifacts are a very powerful extension to Magnet AXIOM that can make this possible, but they would often require time and some programming knowledge to create.

With the MAGNET Custom Artifact Generator, that process is now simplified so you don’t need programming experience to help unlock their power.

Key Features:

• Supports CSV/Delimited files (tab-separated, space-separated, or custom delimiters) and SQLite databases
• Allows you to configure timestamp fields and other categorization fields and set data types
• GUI/Wizard-driven, so no coding experience required
• Generated custom artifacts can be saved directly to AXIOM

For a detailed review of MAGNET Custom Artifact Generator check out this blog from our Director of Forensics, Jessica Hyde.

MAGNET Web Page Saver v3.0

Download MAGNET Web Page Saver v3.0 here.

MAGNET Web Page Saver (WPS) is perfect for capturing how web pages look at a specific point in time. We’ve brought a lot of new features to WPSv3.0 including:

• New SQLite output option: Everything captured goes into a single SQLite database file and a custom artifact is saved to the output folder, enabling you to ingest that SQLite database (or any WPS-generated SQLite database) into AXIOM
• Ability to save linked/embedded images and videos (.jpg, .mp4, .png, .bmp, .gif, .avi, .mpg, .wmv, .jpeg, .mov, .m4v, and .flv extensions) from captured web pages to individual files that are easy to scan/hash with Magnet AXIOM afterwards
• Web browser interface included to allow for logging into sites/creating sessions prior to starting a capture
• Enables Ad-hoc/manual capture of pages, browsing to sites manually and capturing as you go
• View progress for long captures when in the automated capture mode
• New option to save raw HTML content from captured web pages in addition to the screen capture
• New Chrome-based browser/browser engine for displaying and capturing pages – supports all modern pages and doesn’t rely on what you have installed on your machine
• Updated PDF support with improved capture and new options, including auto-bookmarking and enable/disable links in the PDF
• New link to the capture log in the HTML report

MAGNET Encrypted Disk Detector v3.0

Download Encrypted Disk Detector v3.0 here.

Encrypted Disk Detector (EDD) is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response.

New Features include:

• Overall performance and stability improvements
• VeraCrypt support added
• You can now specify a single drive to be checked for encryption:
  • Bitlocker, TrueCrypt, PGP, SafeBoot, and VeraCrypt detection are supported in this mode
  • This allows EDD to be used in an AUTOMATE workflow to check a drive/mounted image for encryption in order to determine next steps in the workflow
• Enhanced information displayed for drives

Download all of our Free Tools over at the Free Tools page!

Please note that Dropbox Decryptor is no longer available as a standalone free tool since its functionality has been included (and updated) within Magnet AXIOM.

The post New Free Tool Available: MAGNET Custom Artifact Generator, Plus Exciting Updates to MAGNET Web Page Saver and MAGNET Encrypted Disk Detector! appeared first on Magnet Forensics.

We’re excited to announce a new version of our AXIOM Examinations course specifically tailored to Magnet AXIOM Cyber users: Magnet AXIOM Cyber Examinations (CY200)!

CY200 is a perfect entry point for examiners who are new to AXIOM Cyber and is great for those who require intermediate-level training with a digital investigation platform that covers cases involving smartphones, tablets, computers, and cloud data in a single collaborative interface.

This course will feature exercises that are geared toward AXIOM Cyber’s features versus the standard version of AXIOM, including remote computer acquisition, agent creation and deployment, and admin-level cloud account acquisitions of corporate platforms.

Classes start August 4, 2020 in a Virtual Instructor-Led format—save your spot today!

Please note that CY200 is essentially the AXIOM Cyber version of AX200. If you’ve already taken AX200, we would advise that you do not to take CY200.

Qualifies to Sit for MCFE – AXIOM Certification

In addition to the 32 CPE credits you can achieve through NASBA by taking CY200, you’re also eligible to become a Magnet Certified Forensic Examiner (MCFE). Everyone who completes CY200 will be able to take the MCFE – AXIOM certification test to demonstrate their competency with the tool.

Visit the Magnet AXIOM Cyber Examination (CY200) page to find a detailed breakdown of each module and objectives for the course. While there, you can find our upcoming schedule and choose the date and location that work best for you.

If you have a Magnet Training Annual Pass (TAP), you can take CY200 as part of your subscription. Don’t have a TAP yet? Visit our Training Annual Pass page for more information. To purchase a TAP, or for any other questions you may have, reach out to us at sales@magnetforensics.com

The post Magnet AXIOM Cyber Examinations (CY200) Now Available! appeared first on Magnet Forensics.

When you were asked to ensure as many team members as possible were working remotely, you were presented with a daunting task. How do you rethink your digital forensic lab’s standard operating procedures (SOPs) almost overnight, without impacting case integrity, chain of custody, quality and lab throughput? 

The challenge is widespread, and you’re not alone: in a recent survey to our law enforcement customers, almost 70% of respondents told us that their work routines have been disrupted – 39% are now on rotating shifts and 30% are strictly working from home.  

Implications of Transitioning to a Virtual Workforce 

The change was swift, and the challenges immediately became clear.  

Primarily, examiners no longer have persistent physical access to the people and technology they rely on to get their jobs done and new bottlenecks in the workflow have emerged. 

Powerful workstations used for acquisition and processing sit offline in the lab, as does the physical evidence. With limited access to the lab, often only one or two examiners are allowed in at a time, the capacity for service to the agency has decreased requiring them to ruthlessly prioritize. The main challenge is access to evidence, a struggle for 57% of our law enforcement customer survey respondents. 

Additionally, interactions that were once face-to-face and organic now happen via Microsoft Teams or other channels. Case assignment, management and review is a challenge when you can’t physically see the evidence moving through the lab or simply asking a team member about its status. 

Fortunately, solutions exist that allow you to be even more resilient by optimizing resources and streamlining processes during these challenging times to continue to serve your agency, and community.  

Securely Access the Lab Remotely, From Anywhere, with Magnet AUTOMATE 

Giving your examiners access to the processing tools in the lab doesn’t mean you need to forgo security (or current health guidelines.)  

Magnet AUTOMATE is an orchestration and automation platform that uses your lab’s existing hardware and software tools to create standardized workflows, to image and process data without examiner intervention. 

By deploying AUTOMATE in the cloud and securely connecting to physical lab assets using a VPN, you can control and orchestrate workflows from anywhere there’s an internet connection. All this while ensuring that the physical evidence items, forensic images, and case materials never leave the lab. This helps alleviate security concerns around extremely sensitive or illicit materials leaving the lab or effecting the chain of custody. 

With one or two examiners having physical access to evidence items in the lab, others on the team working remotely can continue to work with the digital outputs from tools and workflows. 

How Does this Work?

 Once cases are imaged and processed, they’re stored in a central location (in the cloud or on-prem), ready for analysis and review by an examiner. The queue of cases continues to process even after the “in-lab” examiner returns home ensuring your forensic equipment is always maximized and taking advantage of the off-hours in the weekend or overnight. For example, if the “in-lab” examiner queues up 20 cases to process in Magnet AUTOMATE, the system will move through all 20 of these cases seamlessly and sequentially without an examiner being physically present to start a given task or piece of software. 

Additionally, physical workstations (and evidence) can be located anywhere in the world. This gives labs with satellite locations and deployed units the ability to acquire evidence anywhere while processing from one central entity. That central location can be in the cloud, or by securely connecting into your lab’s physical network. Importantly, original evidence and devices remain securely stored within the lab even while new processes are employed to facilitate the work of the team. 

Collaborate, Stay Productive and Organized with Magnet ATLAS 

Once you transitioned to a virtual workforce and recognized the need to future-proof your lab, exploring new collaboration and communication tools likely became a top priority for you. Not only to adapt to today’s challenge, but also to become more resilient to future challenges too, such as natural disasters. 

Working together remotely has become essential, and employing a common platform allows the entire team to continue to remain productive while allowing others to request, review, assist with, manage, and ultimately receive the results of the team’s digital forensics work.  

With Magnet ATLAS you can easily keep track of all aspects of a digital forensics’ investigation, remotely, using any device with an internet connection and browser. ATLAS is an end-to-end case management, reporting and collaboration platform for internal and external stakeholders. 

The intuitive and easy-to-use interface enables any team member to kick-off and contribute to the investigation, and role-based permissions, password protection and strong at-rest and in-transit encryption ensures you’re meeting lab security standards at all time. 

Designed to follow the normal workflow of the lab, ATLAS assists examiners in documenting the work they do. Creating cases, end-to-end evidence tracking, and standardizing the documentation and note taking during the examination phase are just the beginning of the efficiencies gained by the lab team collaborating in a common system.   

Additionally, ATLAS enables you to manage elements of your lab remotely, keeping track of lab expenditures, tool utilization and licenses, all in one place. 

You’ll gain the ability to easily review requests for lab services, assign casework within the team, monitor progress, and review and approve the finished work. These repeatable workflows can help the team document their compliance with standards required for internal or external accreditation even as physical distancing recommendations may have greatly disrupted the normal work of the day. You’ll also benefit from metrics produced in real-time as the team completes their work. Aggregated directly from the casework, managers can easily report statistics related to the team’s work. From broader case level stats for types, origins and locations to mention a few, to more focused stats based on your defined criteria, you’ll always have rapid access to the numbers needed to identify trends and measure productivity.

Especially beneficial as physical distancing guidelines persist, is the ability to distribute “Findings” to appropriate stakeholders. Results can be disseminated to investigators and other authorized internal and external people without the need for unnecessary travel or exposure to lab personnel. When we return to the lab and our offices, this same capability could remain just as beneficial by helping to cost-effectively provide results to stakeholders anywhere there’s an internet connection, and under more standard conditions.    

For our customers, ATLAS has already proven to be an indispensable platform for their newly virtual workforce: 

“A really important element of my unit’s workflow is using ATLAS to keep examinations organized. There are plenty of moving parts, and plenty of evidence items that we deal with on a constant basis. Having access to ATLAS from anywhere that there is an internet connection, makes casework a lot easier. I can maintain productivity, and organization without having to be in the lab during these times. ATLAS continues to help us during these difficult times, and the support behind it is nothing short of custom tailored.” – Luis Martinez, Criminal Investigator, Westchester County District Attorney’s Office 

Create a Resilient “Virtual” Digital Forensics Lab with Magnet AUTOMATE and Magnet ATLAS 

While this is a challenging time, lab managers can drive digital transformation and efficiency in their lab that will last well beyond this crisis. With Magnet AUTOMATE and Magnet ATLAS, we can help your lab be resilient and, in the end, come out on the other side with the capacity to take on more investigations, complete them faster, and ultimately better serve your agency and community.  

Contact your account manager or sales@magnetforensics.com to share with us the problems you’re experiencing and learn how we can help you successfully enable your virtual workforce with our Lab Solutions. 

The post How to Enable Your Virtual Workforce to Seamlessly Collaborate, Process, and Access Cases appeared first on Magnet Forensics.

Hi, all!  This is Jessica Hyde with Magnet Forensics. I am excited to announce we will be starting a new show, Cache Up on Tuesdays at 11:00AM ET.

Cache Up is an interview style show where I will get to speak with some people doing incredible work in forensics and get to know their work and them better. The goal is to learn what these amazing folks are working on, how they got to where they are, and some of their recommendations and ideas. I am excited to get to have these conversations and look forward to sharing them all with you. We will chat with both people you know but also introduce you to some people maybe you should know and do not already. We welcome you to watch and join in the conversation on YouTube live.

Here is our starting lineup on Cache Up for June and July:

• June 2: Brett Shavers
• June 9: Mari Degrazia
• June 16: Mike Williamson
• June 23: Alissa Torres
• June 30: David Cowen
• July 7: Heather Smith
• July 14: Tarah Melton
• July 21: Alexis Brignoni
• July 28: Joshua Hickman

So please join us for our first session live on YouTube. Can’t join us live, that is okay, recordings will be available on the Magnet Forensics YouTube channel and a variety of podcast platforms.

Know of a great guest for Cache Up? Want to be on an upcoming episode? Email me at jessica.hyde@magnetforensics.com.

Looking forward to Cache Up with everyone! 

The post Magnet Forensics Presents: Cache Up appeared first on Magnet Forensics.

To our valued DFIR community,

Thank You.

Thank you for working night and day to provide a safer place for all of us to live and work.

Thank you for doing that work while juggling the enormous challenge of a global pandemic.

And, on behalf of everyone at Magnet Forensics, thank you for letting us be there with and for you.

On May 4, we kicked off the Magnet Virtual Summit (MVS). We weren’t sure what to expect but we knew, more than ever, we wanted to stay socially close to the community while having to be physically distant. We also knew that we had so many amazing industry speakers with valuable content to share, despite having to cancel our Magnet User Summits

As May draws to an end, MVS is officially wrapping up and we want to express our sincere gratitude for making it a success.

So, THANK YOU to every one of YOU!

The thousands of you around the world! You participated and contributed and we were truly blown away and humbled by the tremendous response. With the hundreds of questions, emails, social chats, messages, posts, etc. throughout May, we felt so connected to so many of you. It motivated our team beyond measure and helped us collect so many great ideas and learnings to better serve you. With so much going on, and so much added responsibility to your day, we are truly grateful that you took added time for us.

We’d like to acknowledge some individuals and groups who volunteered their time to MVS:

All of Our Phenomenal Speakers

• Aaron Sparling
• Alexandra Cartwright
• Alexandra Van Den Heuvel
• Alexandru Caciuloiu
• Alexis Brignoni
• Ali Hadi
• Arnold Guerin
• Aury Curbelo
• Austin Hurd
• Brendan Brown
• Brian Moran
• Brianna Drummond
• Chris Atha
• Cindy Murphy
• David Cowen
• Dave Shaver
• David Smalley
• Enrique Banda
• Geoff MacGillivray
• Geraldine Blay
• Heather Smith
• Hyunji Chung
• Jad Saliba
• Jamey Tubbs
• Jeffer Ricardo Ruiz Leal
• Jessica Hyde
• Jinkook Kim
• John Wilson
• Jonathan Rajewski
• Julia Gately
• JungHeum Park
• Kingsley Lin
• Larry McClain
• Luis Martinez
• Lynita Hinsch
• Marcelo Caiado
• Matt Seyer
• Matthew Simon
• Michael Cai
• Mike Williamson
• Mitch Kajzer
• Ricardo Guimarães
• Rick Lin
• Robert Kruse
• Shelly Giesbrecht
• Simon Mancilla
• Stephen Boyce
• Tarah Melton
• Tony Knutson
• Trey Amick
• Victor Griswold
• Warren Kruse
• Wilson Cordeiro
• Yogesh Khatri

If you want to catch up on recordings of their sessions, head over to the Magnet Forensics Resource Center.

The Forensic Lunch Team

Thank you to David Cowen and Matthew Seyer for another great broadcast!

The DFIRFit Team

Brian Moran and Kathryn Hedley and everyone who made a donation and shared a motivational pic!

The CTF Team

Jessica Hyde, Jack Farley, Jordan Kimball, and Garrett Mahoney — It was our biggest CTF ever, with hundreds of people participating around the world, in multiple time zones! Big shout out to David Cowen and Matthew Seyer, Brian Moran, Jad Saliba, Lee Whitfield and David from Dual Core for the live CTF commentary (we hope you have recovered!) and to Sans Forensics and Champlain College Digital Forensics Association for donating prizes!

The Digital Forensics Discord Server Team

Especially Andrew Rathbun. All the live chat during and after the presentations made it feel like we were all in a conference room together.

26 days, thousands of participants, 48 presentations, 55 speakers, 4 Social Hour hangouts, and one very grateful TEAM MAGNET!!!

Please continue to stay safe and stay healthy. We know that as we all start to slowly transition back to our offices, labs and a “new normal”, many challenging and complicated times are still ahead. We hope you’ll continue to put your loved ones first and know that we are here when you need us.

Thanks for all your continued support,

TEAM MAGNET

The post Thank You for an Unbelievable Magnet Virtual Summit! appeared first on Magnet Forensics.

Within recent releases of AXIOM, we’ve added new artifacts to help examiners analyze images found on both iOS and macOS systems. Many investigations that examiners are faced with hinge on the images found during analysis of the data. These artifacts will help identify new points of interest and allow for more context to be drawn around images found during those investigations. 

We can all agree that the amount of media being saved to devices is only going to continue to rise with larger storage options and cheaper price points being constantly released from Apple. For example, the latest iOS device released from Apple in April of this year, the iPhone SE, can be purchased for under $600 USD with 256GB of onboard storage. Taking our artifact-first approach methodology, we now give examiners analyzing macOS and iOS evidence additional media artifacts within AXIOM.  

In this blog we’ll discuss some of the media, databases, and photo apps found on both iOS and macOS systems, and how AXIOM can help examiners narrow the focus when investigating media-rich evidence.  

If you’re not already using AXIOM and want try AXIOM 4.1 for yourself,  request a trial today. 

Let’s start with how the end-user on both the iOS and macOS platforms interact, edit, and share their images: the Photos App, which comes standard on all installs. As an examiner, the Photos App has a bounty of forensically high value targets examiners may find interesting, but where do we find the data that resides in the app? 

macOS path: /Users/<USER>/Pictures/PhotosLibrary.photoslibrary/database/Photos.sqlite 

iOS Path: /private/var/mobile/Media/PhotoData/Photos.sqlite 

It’s important to note if you’re reviewing the Photos.sqlite database on a live-running Mac for your own research, you’ll need to right-click on Photos Library.photoslibrary and select “show package contents” to see the Photos.sqlite 

Under the Media category in AXIOM, you’ll find the artifact, Photo Albums, for both macOS and iOS. This artifact provides examiners with not only all of the albums a user has created to organize their media, but also if those albums have been shared, and who they have been shared with. As you can see in the screenshot below, the albums, “Travel” and “Family” reveal the album owner’s information, that it has been shared, and who the invitees are. We also can quickly identify that the “Travel” album has 4 pictures within it. 

The Photos Albums artifact relies on information from the ZGENERICALBUM table found within the Photos.sqlite. Within the evidence information section of the details panel, you can review both the table and rowid for manually validating what AXIOM has revealed within artifact view. As a part of last year’s AXIOM 3.0 release we overhauled our internal SQLite database viewer. If you haven’t had the chance, make sure to check out this video on some of the updates we’ve added!  

The next artifact that pulls information directly from the Photos.sqlite database is Photos Media Information. This artifact is fantastic for providing what images are found within different albums as well as the image’s UUID, which we will discuss later in this blog, and lastly geo-location data associated with the different images. In the previous screenshot, we saw the album Travel had 4 images contained with it. Below we can identify the image filenames for the Travel album. 

While the Photo Albums artifact only uses one table from the Photos.sqlite database, the Photos Media Information artifact pulls from several tables to help consolidate data points for examiners. Some of these tables include: ZGENERICASSET, Z25ASSETS, ZGENERICALBUM, and ZADDITIONALASSETATTRIBUTES. As we can see below, we’ve highlighted the ZPHOTOSHIGHLIGHT table from within AXIOM’s SQLite viewer to review additional information. The ZPHOTOSHIGHLIGHT table provides the description and highlight information that users can see when inside the Photos.app browsing via For You. Investigators wishing to examine the Photos.sqlite database in more depth should check out Magnet Technical Forensic Consultant Mike Williamson’s blog here. 

Another important artifact for investigators to utilize when working with macOS and iOS image evidence is Live Photos. Originally launched in 2015 with iOS 9 and the iPhone 6s, Live Photos capture not only an image, but also a 1.5 second .mov movie file and can also contain sound as a part of the recording.  

For years, investigators have had to manually review pictures separately from the potential movies that make up Live Photos; however, with AXIOM we associate the two together in one artifact. While the image and movie files typically have the same name, for example IMG_0017.JPG and IMG_0017.MOV, this always needed to be verified manually. In AXIOM, we pair the pictures and video together utilizing the matching UUID. This 32-digit UUID can be reviewed within the details panel of the Artifact explorer, or manually within the HEX in the File System explorer. As we can see below, the image in question has a UUID of 43A68D86-3DBA-472F-9804-5D1C598DBE79. We can confirm that by using the source link and reviewing the HEX as shown below.  

Reviewing not only the image but also the video that corresponds to that photo can allow investigators to build context around when that Live Photo was taken.   

If you have any questions regarding our media support, or have ideas on artifacts you would like to see in AXIOM, please don’t hesitate to reach out to me at trey.amick@magnetforensics.com 

The post macOS & iOS Photos Support with Magnet AXIOM appeared first on Magnet Forensics.

We’re continuing to build on the significant progress of Magnet AXIOM 4.0 and Magnet AXIOM Cyber 4.0 with Magnet AXIOM 4.1 and Magnet AXIOM Cyber 4.1! Find out below how AXIOM 4.1 will let you get to the evidence even faster and with more efficiency and download it now within AXIOM or over at Customer Portal.

If you haven’t tried AXIOM yet, request a free 30-day trial here.

Get to the Evidence Even Faster

The faster filtering that debuted in AXIOM 4.0 enabled up to 5X faster filtering on global keyword searches, and with AXIOM 4.1 we are continuing to make filtering performance faster. You can now filter faster when picking a column in Artifact view to filter on, allowing you to narrow down results even faster based on the value you’re looking for in a particular search.

Find Similar Pictures More Efficiently

Building on the ‘Find Similar Pictures’ feature that debuted in AXIOM 4.0, AXIOM 4.1 adds two major enhancements. You can now:

1. Limit the number of results surfaced by the feature to ensure only the most relevant results are displayed. Now, you can specify the number of results returned, with AXIOM defaulting to a maximum number of 100 results. AXIOM will allow you to see more or fewer results if you wish.
2. Initiate a ‘Find Similar Pictures’ filter from the file system view. If you find a picture you’re interested in, you can quickly find additional similar pictures by right-clicking on the picture and choosing ‘Find Similar Pictures’.

Improve Control Over Your Exports

When exporting Zip files from the File System view you can now pick a setting to select whether you want to preserve the folder structure of that file or use a flat/recursive export when you choose the “save file/folder to zip…” option in the file system, depending on which export form is more useful or required.

New Artifacts

• Latent Wireless WiFi Hotspots
• Edge Browser (iOS)
• Passwords & Tokens – Firefox (Windows)

Artifact Updates

• Autorun (Windows)
• Burner (Android)
• Grindr (iOS/Android)
• Houseparty (Android)
• Messenger (iOS)
• Notification Center (Windows)
• Rebuilt Desktop (Windows)
• Safari (iOS)
• SIM Card Data (Android 10)
• SMS/MMS Messages (Android)
• Slack (iOS)
• Snapchat (Android)
• Telegram (Android)
• Tinder (Android)
• Zoom (iOS, Android)

Learn More About How You Can Investigate Photos in macOS/iOS with Magnet AXIOM

In this blog, Trey Amick discusses some of the media, databases, and photo apps found on both iOS and macOS systems, and how AXIOM can help you narrow the focus when investigating media-rich evidence. Read it here.

Get Magnet AXIOM 4.1 and Magnet AXIOM Cyber 4.1 Today!

If you’re already using AXIOM, download AXIOM 4.1 or AXIOM Cyber 4.1 over at the Customer Portal. If you want to try AXIOM 4.1 or AXIOM Cyber 4.1 for yourself, request a free trial today!

The post Magnet AXIOM 4.1 is Here to Help You Get to the Evidence Faster and With More Efficiency appeared first on Magnet Forensics.

The death of George Floyd at the hands of a Minneapolis Police Officer, with other officers looking on, and the subsequent events surrounding it throughout North America and now the world has given us pause for reflection.

We have had many thoughts, emotions, and questions since. What we can say definitively is that racism is real. Racism and other biases exist all over, including within the justice sector. And, justice cannot exist without equal rights and equal protections for all citizens.

Since Magnet Forensics’ founding, we have employed several former police officers and interacted positively with countless more active officers. In our hearts, we believe police officers get in to policing to make a positive impact in their community and to seek justice for all citizens.

But the institution of policing and the broader justice sector cannot rest with only these positive sentiments. We must strive to ensure that all citizens have access to justice, and trust that the police and supporting institutions are there to serve them, regardless of their race. We must look to create resilient governance structures, diverse teams and technologies that identify and root out racism and other forms of discrimination.

Magnet Forensics was founded to try to make a difference for the victims of human trafficking and child sexual exploitation. Supporting the victims of these heinous crimes was the initial motivation, but what was realized is that the advancement of digital forensics could be a structural change in the pursuit of justice. Such primary evidence can close the levels of doubt in successful convictions and exonerating the innocent.

Seek Justice and Protect the Innocent is not just a corporate moniker for Magnet Forensics. It is core to who we are. Fundamental to that pursuit is helping surface the truth.

We too cannot rest on these aspirations. Magnet Forensics is committed to continuing to look inwards to ensure we are contributing to a justice sector that serves all citizens.

Diversity in the team at Magnet Forensics is a strength and has helped us in the pursuit of our mission. For our part, we are committed to building on this diversity. We are committed to asking ourselves and our team difficult questions about our own biases and to learning about how they can be rooted out in our recruitment, operations, and the technologies we develop.

On behalf of the team at Magnet Forensics, we will be making donations to charities that support the reform of the justice system and racial equality. We also believe it is important to support police agencies that don’t have the ability to conduct timely and comprehensive digital investigations which places justice at risk. Magnet Forensics will be launching a new program to address this challenge later this year.

We stand alongside our communities, customers, and employees as we navigate these
difficult times toward a more just future.

Adam Belsher (CEO) & Jad Saliba (Founder & CTO)

The post Our Commitment to Equality and the Justice Sector appeared first on Magnet Forensics.

Members of the forensic community often take it upon themselves to create scripts, custom artifacts, or software to aid in their investigations, then share with others, which I’ve always loved. The talent our community guild has is truly awesome, and I’m thankful to be a part of it. This blog isn’t meant to be an end all, be all of every publicly available Mac resource, but to highlight a variety of projects from around the community.  

We’ll talk about it more later in this article, but make sure to also check out our Free Tools. We’ve recently updated several of them, and while they aren’t specifically for Mac or iOS they can be used in those investigations as well. 

iLEAPP

Originally unveiled to the public December of 2019, Alexis Brignoni has been hard at work updating iLEAPP, with the latest version, 1.2 just recently being released. iOS Logs, Events, and Properties Parser or iLEAPP, is a combination of different stand-alone scripts centralized into one tool for parsing things like the Mobile Installation Logs, iOS Notifications Content, among many other files. iLEAPP also parses bplists found within the iOS KnowledgeC.db, as well as KnowledgeC fields including: 

• Application Usage 
• Application Focus 
• Application Activity 
• Battery Level 
• Applications Installed 
• Device Locked 
• Plugged In 

Other artifacts parsed include Powerlog information, Safari History, Call History, and SMS. This tool is a fantastic resource for the community, whether it’s being used in conjunction with commercial DFIR tools for validation, or as a standalone tool for labs that are faced with budget constraints and need iOS parsing capabilities.

Alexis has been insanely busy in the last year and is currently nominated for several Forensic 4:cast Awards including: DFIR Article of the Year, iLEAPP: iOS Logs, Events, and Properties Parser, as well as DFIR Social Media Contributor of the Year, DFIR Groundbreaking Research of the Year for iLEAPP, DFIR Non-commercial Tool of the Year, and finally Digital Forensic Investigator of the Year! Make sure to head over to Forensic4Cast and vote!  

Head over to his website to learn more about both iLEAPP and his complimentary Android tool, ALEAPP – Android Logs Events and Protobuf Parser!  

iOS 13 Images

Josh Hickman (thebinaryhick.blog) has provided a much needed community resource with the release of his iOS 13 images. Not only was he kind enough to provide us with iOS 13.3.1, he went ahead and created a second image for download with iOS 13.4.1 as well. 

These images allow for the community to utilize the same data sets during research / testing, so that we can compare outputs from various tools and scripts. Josh’s iOS 13 images can be found here. If you’re in need of an Android 10 image, Josh has you covered as well. You can find that image here. 

Disk Arbitrator

For years examiners have utilized Target Disk Mode (TDM) as an option when acquiring Mac endpoints. Recently with the T2-based Macs, this has become even more popular due to the security enhancements made where by default Macs don’t allow booting from external devices / imagers. When connecting to target endpoints utilizing options like TDM, we need a way to protect from mounting the system read/write to preserve our evidence.  

Creator, Aaron Burghardt, states on his github, “Disk Arbitrator is essentially a user interface to the Disk Arbitration framework, which enables a program to participate in the management of block storage devices, including the automatic mounting of file systems. When enabled, Disk Arbitrator will block the mounting of file systems to avoid mounting as read-write and violating the integrity of the evidence.” You can find Disk Arbitrator on Aaron’s Github here.

mac_apt

Brought to you by Yogesh Khatri, mac_apt is a python-based framework for parsing macOS artifacts. I had the pleasure of seeing Yogesh’s presentation during the Magnet Virtual Summit, and seeing mac_aft in action. If you didn’t get a chance to tune in for his initial talk you can find it here, on demand. 

With numerous plugins, its cross-platform capabilities, and the ability to work with .E01’s, DMG’s, and .AFF4 images this is quite a powerful platform. We’ll cover how we utilize mac_apt in conjunction with AXIOM and our free tools later in this article, but I really appreciate the SQLite output Yogesh offers with mac_apt. As of the v0.5-beta release, mac_apt also supports macOS 10.15 (Catalina) with the separate System and Data volumes as well. (You can learn more over at Yogesh’s website or follow him on Twitter!   

Mushy

If you’ve done a Mac or iOS exam, you know how much Apple loves Plists. Ian Whiffin (Twitter), over at DoubleBlak Digital Forensics has several utilities for the community, but I want to highlight Mushy in this blog. Mushy is a great property list (PList) viewer for Windows! 

The latest version of Mushy just landed as of June 7 (v. 1.2.6.0). Users can simply drag and drop the Plist /BPlist into Mushy to review the data. Simple, and easy to use!   

When you head to the website, you’ll first need to register for a free account before you can access the software page. Once complete, you’ll have access to the utilities that are open to the entire community! Ian also has ArtEx-Artifact Examiner which helps visualize the iOS KnowledgeC database, as well as a time stamp conversion tool, and Snoopy, which parses SnapChat’s chatConversationStore.plist. Ian’s blog is packed with tons of useful information for examiners wanting a great break down of Plist decoding — check out this article Ian wrote! 

Apollo

Winner of the 2019 DFIR Article of the Year and DFIR Groundbreaking Research of the Year, Sarah Edwards’ article “Knowledge is Power” and APOLLO (Apple Pattern of Life Lazy Output’er) have been a tremendous resource for the community. Providing content to investigations around a user’s pattern of life can be critical and with APOLLO’s multitude of modules, we can break down information ranging from device states to connections and application usage. The amount of data APOLLO provides by correlating data entries across multiple databases with thousands of records is truly awesome! If you haven’t, make sure to check out the APOLLO project over at Sarah’s github. 

Sarah also posts a ton of great content on social media and of course on her blog!

Magnet Custom Artifact Generator (MCAG)

Announced last month during Magnet’s Virtual Summit, the free Magnet Custom Artifact Generator (MCAG) makes short work of creating new custom artifacts for use in AXIOM. MCAG accepts CSV/delimited files and SQLite databases for generating new artifacts. Check out Jessica Hyde’s blog here on how to utilize MCAG in conjunction with tools such as Alexis Brignoni’s iLEAPP, or Yogesh Khatri’s Mac Apt.  

Now we don’t natively support displaying the unified log from APFS datasets in AXIOM, however many of our artifacts are derived from information we have pulled from the unified log during processing. This is due to the sheer size and number of artifacts the unified log would add to an AXIOM case file if it was fully processed (millions additional artifacts for review). 

For investigations that examiners need to go a step further to view the unified log there is an easy way now to load those into AXIOM. First, utilizing Yogesh’s mac_apt, export a SQLite database out containing the unified log. Next head over to our free tools page an download MCAG. Once downloaded, you’ll point MCAG to your SQlite.db that you created from Mac Apt and configure MCAG to create a custom artifact for parsing the database (of the unified log). Lastly, open AXIOM Process, load the SQLite database containing the unified log into AXIOM (Computer>Mac>Files & Folders) and make sure your custom artifact is loaded into AXIOM. Once processed you’ll be able to investigate the log directly in AXIOM. 

Archival Tools

While not forensic utilities, employing Macs in your lab means there will be a need to decompress / open archival based formats from a variety of sources. While Macs come standard with the Archive Utility.app, users can run into issues with trying to open specialty files with it. I recommend checking out either The Unarchiver application found here, or Keka found here. Both have great features and work well to open from a variety of sources the standard Archive Utility struggles with. Personally, I utilize Keka, which offers different default compression formats, and can even be set to exclude macOS resource forks (ex: .DS_Store) for use in mixed endpoint environments. Keka also works well with 7zip based archives. 

Wrap Up

While there are many additional Mac utilities out there, I hope everyone takes a few minutes to check out the few covered in this blog. Using the different projects in conjunction with your commercial tools makes for a strong combination both with the validation of the data you are working with as well as making evidence collected actionable, faster. If you have other utilities you’d recommend, please feel free to email me at trey.amick@magnetforensics.com 

The post Free Mac & iOS Resources for the DFIR Community appeared first on Magnet Forensics.

You likely have a few different acquisition tools that you consistently use as part of your forensic toolkit. We understand the importance of the tool box approach to generate credible, reliable and repeatable results. Our goal has always been to help you do your job and with the latest Magnet AUTOMATE release, we’re helping you do your job faster by removing the complexity that a tool kit approach introduces into the workflow.

Now, with AUTOMATE 2.2 you can integrate any acquisition tool, including those without a command line interface, into your automated workflows. This means more of your toolkit can be synced together in one platform, saving you even more time and costs by reducing manual intervention by examiners and ensuring more of your forensic equipment is efficiently utilized 24/7.

The simplicity of Watch Folders is that once an image is acquired and appears in the specified “Watch Folder,” the workflow automatically begins processing.

With Watch Folder workflows, you can integrate any acquisition tool even if they don’t have a command line interface without needing to change or rewrite standard operating procedures (SOPs), including:

• GrayKey
• Cellebrite
• Oxygen Forensics
• Macquisition
• EnCase Endpoint Investigator
• F-Response
• Tableau TX1 Forensic Imager,
• and more!

Plus, you can always integrate any commercial tool that has a command-line interface and for increased flexibility, you can integrate your own custom scripts (Java and Python.)

How Do You Set up a Watch Folder Workflow?

Now, in the visual workflow builder, you can start with an initial block called “Watch Folder”. This block allows you to configure a file or networked path that points to where your acquisition tool will be saving images, this is the folder that the workflow will always be watching – hence the Watch Folder moniker.

During configuration, you can specify where AUTOMATE should look for relevant case variables, such as case number and evidence numbering, in the file path so that there’s no need to manually enter this information again after you did so in your acquisition tool during set-up.

Importantly, the Watch Folder is the root folder where the workflow is always monitoring for new images, as you can see in this case it is a folder called “Storage”. This is a static folder.

To avoid processing images over the network, you can set the workflow to copy the image to the processing node so that processing occurs locally.

Now that you have a Watch Folder starting block set up, you can easily create the rest of your customized workflow by dragging and dropping in additional elements. Existing integrations such as Magnet AXIOM, ACQUIRE, OUTRIDER and REVIEW, as well as Atola Task Force Imager, Griffeye Analyze (DI Pro Version) and Volatility Memory Forensics Framework, among others, can be synced together to fully automate the imaging and processing of your standard operating procedures.

What Happens to Images Saved in the Wrong Folder?

Sometimes, file path misconfigurations happen during the manual acquisition step – people can make mistakes! AUTOMATE makes it easy to identify if an image was saved to an unexpected folder within the root in a newly added “Pending Cases” tab.

In this tab, you can see when an image lands in the root of the Watch Folder but with missing information. This can happen if the image was saved directly into the root folder, resulting in several missing variables (i.e. case number, evidence number.) This requires that an examiner manually enter missing information before kicking off processing. Fortunately, you don’t need to go into your filesystem to correct the path and variables, you can enter this information right from AUTOMATE’s user interface.

Scale up Your Existing Resources and Processes to Complete Investigations Faster

Watch Folders are a deceptively simple yet powerful way to bring more of your toolkit together into automated workflows. Now, you can automate more of your forensic toolkit, so that you can focus your examiners time where it matters most to unlock your lab’s full capacity and better serve your agency. In fact, your examiners don’t even need to log in to the AUTOMATE platform to kick off a workflow, they start automatically when a Watch Folder workflow detects an image.

Let us help you find efficiencies in your lab with Magnet AUTOMATE. Visit our website at https://www.magnetforensics.com/products/magnet-automate/ and fill out the form to contact us.

We’re also hosting a live webinar on June 24 where you’ll be able to learn more about Watch Folders and to find out how these capabilities can help maximize workflow efficiency and eliminate downtime. Register today!

The post Integrate Any Acquisition Tool in Magnet AUTOMATE 2.2 with Watch Folders appeared first on Magnet Forensics.

With the latest version of Magnet AUTOMATE, you can now improve service to your agency by scaling-up existing resources and processes with the power of orchestration and automation. 

Find out more about Magnet AUTOMATE 2.2 below, including how you can automate more with mobile-capable workflows, unlock capacity, improve service, save time & costs, and ensure case quality. Want to dive deeper into AUTOMATE and see it in action? Register for our upcoming webinar on June 24.

Automate More with Mobile-Capable Workflows

Magnet AUTOMATE now includes Watch Folder workflows to allow you to integrate any acquisition tool—including mobile tools. With Watch Folder workflows, AUTOMATE accelerates mobile investigations by processing any images from any acquisition tool, even if they don’t have a command line interface, including: 

• GrayKey 
• Cellebrite 
• Oxygen Forensics 
• Macquisition 
• EnCase Endpoint Investigator 
• F-Response 
• Tableau TX1 Forensic Imager,  
• and more! 

Using the new Watch Folder capability, cases seamlessly flow from post-image acquisition through to processing with no downtime, improving the overall efficiency of computer and mobile workflows. 

Want to know more about the Watch Folder workflows? Read this blog to learn more.

Increase Productivity by Reducing Scan times

The Triage Scan Search Type in AUTOMATE allows examinersto run a scan, using AXIOM, on only the allocated space of a disk (including special files). This can significantly speed up scan times, by reducing time spent carving in unallocated space. 

Gain Peace of Mind Around SOPs

AUTOMATE now allows you to hide draft workflows and set carved video size limits per your lab’s SOP and validation procedures.  By ensuring lab technicians and examiners use only approved workflows with settings tuned to meet the requirements for carved videos, you can feel confident that case output consistently meets quality standards. 

Magnet AXIOM 4.1 Integration Allows for Building of Analysis-Ready Cases

Build better cases faster with new advanced features introduced in AXIOM 4.1, now integrated with AUTOMATE: 

• Scan errors are now recorded, resulting in detailed scan summaries and exception reporting in AXIOM—ensuring that processing exceptions are caught so that examiners can take the right action. 
• Support for AXIOM 4.1 export templates gives examiners the flexibility and control to share only what they select with external stakeholders for review. This capability allows examiners to create simplified data sets enabling a clear and efficient review process across the agency. 
• AXIOM 4.1 features such as faster filtering and the ability to find visually similar pictures to a query picture. With this integration, examiners are presented with analysis-ready cases so that they can focus their time where it matters most. 

Learn More About AUTOMATE in our Upcoming Webinar

On June 24 at 8:00AM ET & 11:00AMET (1:00PM & 4:00PM BST), we’ll be presenting “Unlock Capacity & Improve Service to Your Agency with Magnet AUTOMATE” where we’ll explore:

• Modern digital investigation challenges
• How Magnet AUTOMATE can help you unlock capacity and improve service to your agency by getting evidence into the hands of your investigators faster
• What’s new with Magnet AUTOMATE 2.2, with a focus on mobile-capable workflows, including a demo of the new Watch Folders workflow.

Be sure to save your spot today! For more information on Magnet AUTOMATE, head over to https://www.magnetforensics.com/products/magnet-automate/.

The post Scale Up Existing Resources and Processes with Magnet AUTOMATE 2.2 appeared first on Magnet Forensics.

As many of us know, Slack has become a dominant collaboration and chat platform used in environments around the globe since its inception in 2009. With over 10 million daily active users and 85,000 paying customers, examiners are frequently facing casework where Slack data plays a pivotal part in the investigation. 

In this blog, we’ll discuss the different options examiners have when investigating Slack with Magnet AXIOM Cyber. If you haven’t already, make sure to download the latest version of AXIOM Cyber! 

Where to Find the Data 

AXIOM Cyber supports multiple ways of ingesting Slack evidence. The first decision for examiners when loading Slack evidence into AXIOM Cyber is whether they would like to: 

1. Collect Slack data with AXIOM Cyber’s live acquisition capabilities, or 
2. Load the Slack compliance exports into AXIOM Cyber for processing. 

For option 1, we’ve made acquiring data directly from Slack into AXIOM Cyber a quick three-step process. Before casework can commence, coordinate with your IT/SOC to make sure AXIOM is whitelisted for apps that can access Slack. You’ll only need to whitelist AXIOM once. Next, simply enter the account information and credentials of the account that is under investigation into AXIOM Cyber and select Analyze Evidence. 

With the second option, loading the Slack Standard or Corporate Compliance Exports for processing into AXIOM Cyber is straightforward — point AXIOM Cyber to the .zip you’ve received from Slack.  

 
Now if you are wondering where you can find these exports, we’ll walk through obtaining access to those now. Once again, you may need to work with your Cloud Ops/IT team so they can coordinate getting you access to the compliance exports. To access direct messages, channel information, and attachments without user credentials you’ll need the workspace owner to apply for the corporate export via ‘Settings & Administration’ from the menu in Slack (that’s right, Slack makes you apply to access your own information.)  

Once Slack has granted access to your workspace owner to export data, they’ll need to set the date range for the export which consist of a series of JSON files that are archived together. One option for the export is ‘entire workspace history’, for large organizations. I would not recommend this option due to the sheer size that export would make. Many organizations who already have compliance exports being generated select 30 days at a time for their archives.  

Once exports are generated and after the initial download, they will remain on the account for 10 days before being deleted by Slack. It’s important to note the attachments that are shared in the workspace are not included in the export file. Slack provides a URL and token to retrieve the attachments, however if the token has been revoked the attachments cannot be retrieved.  

You will not need to decompress the archive file from Slack, keep it as is when loading into AXIOM Cyber. Once loaded, you’ll want to filter your data to expediate processing in AXIOM. As you can see in the image below, you can select “edit” to identify what users you want process data for as well as whether or not you want AXIOM Cyber to include the attachments data, which can increase processing time due to AXIOM Cyber downloading each attachment.  

Once your evidence is analyzed by either use of the .zip export Slack provides or AXIOM Cyber’s live acquisition, you’ll be able to continue building your case with additional evidence sources within one case file as well as utilize analytical features like Connections and Timeline to complete the story of your investigation for stakeholders. 

Differences between live acquisition and compliance exports with AXIOM Cyber can be seen below:

If there are other cloud sources you’d like to see AXIOM Cyber acquire and process from please don’t hesitate to reach out to me at trey.amick@magnetforensics.com. 

The post Yep, Magnet AXIOM Cyber Supports Slack! appeared first on Magnet Forensics.

We know how useful it can be to analyze the data from your warrant returns alongside your other evidence sources in AXIOM. AXIOM has long supported the processing of warrant returns from Apple, Facebook, Google/Gmail, Instagram, and Snapchat. And now, new in Magnet AXIOM 4.2 is the ability to ingest and process Skype Warrant Return data as well!

Processing Your Skype Warrant Return

To process your Skype warrant return, you will need to first ensure that it is in ZIP format, with no password. If you received your return as a password protected RAR or ZIP, simply decompress the data and remove the password. Then re-archive the package as a ZIP file and your warrant return is ready for processing!

Once your data is processed, you can view your artifacts that were parsed from your warrant returns in AXIOM Examine along with your other evidence items. This allows you to be able to analyze all the data from your examination in once case file! Additionally, this gives you the ability to utilize the useful analysis features that AXIOM has to offer, such as Connections or the enhanced Timeline Explorer, across your warrant returns and additional evidence sources.

See figure below for an example of the types of artifacts that you might see from your Skype Warrant Return:

As warrant returns formats are subject to change at any time, please reach out if you discover a change in support! We hope you use Magnet AXIOM to process your Skype warrant returns and encourage you to reach out if you have any questions or issues at tarah.melton@magnetforensics.com.

The post Skype Warrant Returns in Magnet AXIOM appeared first on Magnet Forensics.

We at Magnet Forensics are constantly trying to keep up with new artifacts that are relevant to the changing times to help assist in your examinations. Recently added into Magnet AXIOM was the support of Zoom application artifacts, which in recent times has become an extremely popular way for us to connect and communicate in the current world climate. The Zoom support in Magnet AXIOM includes artifacts for the Windows operating system, as well as for both iOS and Android mobile platforms.

Artifacts

After processing for Zoom data, you will see its artifacts under the chat category in AXIOM Examine. As of AXIOM 4.2, we support Zoom artifacts such as channels, contacts, chat messages, meeting messages, and user account data. Just as any other chats that AXIOM parses, the messages parsed from Zoom can be easily viewed threaded together in Conversation view, as well as in the Preview on the right side of the window in Examine. Note that to parse Zoom User Account data from a Windows device, AXIOM Process requires some additional steps to decrypt that data, detailed in the next section.

Decrypting Zoom User Data

Zoom User Account data uses DPAPI (Data Protection API) encryption, which is used by many applications to store encrypted data on a Windows operating system. Therefore, when processing for this artifact, you will need to put in the user’s Windows account password to decrypt it. After you load in your evidence in AXIOM Process, under the Artifact Details, you will see the ability to click for additional options under the Zoom artifact.

A new window will then open which will prompt you to input the user’s Windows password.

Once processing is complete with that additional data, you will notice that the Zoom User Data artifact in AXIOM Examine will be decrypted!

If you’re already using AXIOM, be sure to upgrade to the latest version from the Customer Portal to get all the latest artifact support, including support for Zoom! For those who want to give Magnet AXIOM a try, request a free trial today! 

The post Zoom Artifact Support in Magnet AXIOM appeared first on Magnet Forensics.

With the release of AXIOM Cyber 4.2 users can now ingest Office 365 unified audit logs that are manually exported from Microsoft’s Security & Compliance Center into their casefiles for analysis. In earlier releases of AXIOM Cyber, examiners could collect directly from O365 environments via live acquisition, however we understand data is sometimes provided to investigators, versus them having the ability to acquire directly. Unified audit logs are invaluable when it comes to tracing user actions within the Microsoft O365 environment. Employee actions ranging from logins, files being copied, deleted, edited, or shared are easily identified with the use of these logs. In this blog we’ll walk through exporting the audit logs out of the Security & Compliance Center, and review what the data looks like once parsed by AXIOM.

If you haven’t had the opportunity to try AXIOM Cyber yet, make sure to request a free trial here, and for those who already have Cyber, make sure to head over to the Magnet Customer Portal to update today!

Loading O365 Audit Logs

To start, let’s head over to protection.office.com, where you’ll need to login to access the Office 365 Security & Compliance center. If you login and don’t have sufficient permissions, you’ll be prompted that you need to elevate your permissions before moving forward with a similar message as to what’s below. 

However, if you have the correct permissions on your account, you’ll navigate down the left-hand menu bar to “Search” and select “Audit Log Search” as we can see here. You can also utilize protection.office.com/unifiedauditlog if you prefer not having to navigate using the menu bar.

Now we simply need to configure our search to filter through our organization’s users. For this investigation, we are interested in what the one associate, Dante Grimes has been doing within his O365 environment over the last week. It’s important to remember what the scope of your investigation entails. Did the stakeholder only request information around when a user logged into Microsoft Teams, or perhaps did they want to know any file a user has accessed within a given time frame? We can filter on this data before we run our search within the Audit Log Search. The Activities dropdown includes a vast array of different activities users can perform while operating in an O365, however for investigations where you need as much information as possible on what a specific user is doing, leave the default option “Show results for all activities” selected.

Once you’ve successfully queried your data, simply select the “Export results” box in the top right corner of your search window and select “Download all results”. This will generate an auditlog_[date].csv file of your data.

Now that we have our unified audit log CSV, we’ll launch AXIOM Cyber Process, and load our evidence in for processing and analysis.

Once complete, examiners can make quick work of reviewing the audit logs processed with AXIOM Cyber. As you can see below, we can sort the logs based on action to narrow our focus. We can also utilize AXIOM’s relative time filter to get a better understanding over all the changes that occurred to our evidence within a given time frame as well. Under the Details Panel, we see information such as the IP Address of the user, Object ID for the file in question, Original File Name, and the raw data from the Log for reference as well.

If you have any questions or have ideas on new artifacts you’d like to see supported with AXIOM Cyber, don’t hesitate to reach out at trey.amick@magnetforensics.com.

The post Expanded Office 365 Unified Audit Log Capabilities with Magnet AXIOM Cyber appeared first on Magnet Forensics.

Since AXIOM Cyber’s inception we’ve made remote collection of artifacts that are frequently needed for investigations by including a list of preconfigured Targeted Locations. Evidence such as browser history, the $MFT, Pagefile.sys, registry files, and the macOS unified logs have quickly been accessible to users without examiners needing to remember the path locations, and manually select each artifact. Based on customer feedback, we’ve now added the ability to customize your own list of Targeted Locations with the release of AXIOM Cyber 4.2.

In this blog we’ll discuss how examiners can now create their own custom Targeted Locations with AXIOM Cyber, saving you time by eliminating the need to navigate the file tree for artifacts that are frequently needed in casework.

If you haven’t had the opportunity to try AXIOM Cyber yet, make sure to request a free trial here. And for those who already have AXIOM Cyber, make sure to head over to the Magnet Customer Portal to update today!

When we decided it was time to make a dedicated corporate product, our main objective in doing so was to rethink the common complaints we heard from examiners working cases day in and day out. We took a different approach with AXIOM Cyber, enabling examiners to deploy agents to both Windows and Mac endpoints as needed with an ad hoc approach versus the traditional approach of having agents preinstalled on every endpoint. Speaking from personal experience, reconfiguring and updating mass-deployed agents can be a challenging endeavor in corporate environments when coordinating with multiple teams from across the organization.  

We also wanted to incorporate our artifact-first approach into the remote acquisition phase of the investigation by providing examiners an already curated list of Targeted Locations they could quickly select to collect from for both Windows and Mac. The list below includes what comes preconfigured with AXIOM Cyber.

Preconfigured Targeted Locations

Custom Targeted Locations

Adding new Targeted Locations so you only remotely collect exactly what it is that you need is a breeze with AXIOM Cyber 4.2!

• Navigate to the Targeted Locations section within AXIOM Process
• Select “Add New Targeted Location”
• Name your new location and complete the path you want AXIOM Cyber to collect from

In the example below, I’ve created a new Targeted Location with a description of Company Information_All Users. In the path information section, I’ve designated AXIOM to recursively acquire all the contents of the folder “Company Information” from every user found on the endpoint.

A few important things worth noting when building new Targeted Locations:

• Using [user_name] in the path will search all user folders on the endpoint
• Examiners acquiring a folder via star-dot-star (*.*), will be recursive, in that it will grab all folders therein
• filename extensions (*.txt, for example) are not recursive

If you have any questions or have ideas on new artifacts you’d like to see supported with AXIOM Cyber, don’t hesitate to reach out at trey.amick@magnetforensics.com

The post Introducing Custom Targeted Locations with Magnet AXIOM Cyber appeared first on Magnet Forensics.