Magnet Forensics

Hi! Jessica Hyde here with Kevin Brightwell, Senior Software Developer, and the technical lead for our integration of AFF4 and AFF4L.

In AXIOM 4.2, we have integrated AFF4 support for forensic images and we wanted to take an opportunity to share how we believe this integration and further acceptance of the AFF4 and AFF4-L formats can be of benefit to the forensic community.

What is AFF4?

AFF4 is a forensic container that allows for creation of forensic images. The format was created in 2009 and explored in the paper “Extending the advanced forensic format to accommodate multiple data sources, logical, evidence, arbitrary information and forensic workflow” by Michael Cohen, Simson Garfinkel, and Bradley Schatz. Documentation, and overview and GitHub repository for the project can be found at http://www2.aff4.org/. AFF4 is not that new, but it provides some distinct advantages over other forensic containers.

One of the most touted features of AFF4 is the increased imaging speed. AFF4 utilizes block hashing as its primary hash validation. This is a major advantage in time as it allows the image to be verified while it is being opened. Linear hash verification is still available if a lab requires it; however, it is now possible for labs to utilize block hashing to validate the image integrity initially and delay or eliminate potentially lengthy linear hash verification until after processing – getting you to your results faster.

In addition to speed and block-hashing, there is another critical feature of AFF4. The format is open source and vendor neutral as opposed to proprietary formats such as .E01. There is a vibrant community that works on the format and it has been peer-reviewed through numerous academic papers published in peer-reviewed journals. Several academic references are listed at the end of this post.

AXIOM began supporting AFF4 physical images from MacQuisition in version 3.7. Starting with the release of AXIOM 4.2 we will be supporting AFF4 images from other sources like Evimetry. Other imaging platforms that support creation the of AFF4 include Atola TaskForce. These are commonly seen as two of the fastest imaging platforms on the market.

AFF4-L

What about logical images? The current “standard” format of today is the proprietary .L01 format. There is no public specification for this format and hence it cannot be updated to meet new needs as evidence evolves. This is where AFF4-L comes in. AFF4-L is a new open-source, vendor neutral standard for logical images that is based on the AFF4 format.

There are several areas where the community would benefit using AFF4-L. This includes acquisitions from the cloud, targeted acquisitions, and exports of subsets of data. Cloud acquisitions tend to take the form of data streams, often in JSON, that need to be stored in some container. Targeted acquisitions often contain raw files from specific destinations on a remote or attached system. In other instances, examiners need to deliver a subset of data to another examiner or organization for a variety of reasons including keeping the exam to a scoped set of data, sharing of only responsive data, and the redaction of contents that are not sharable with another organization due to confidentiality or other reasons. The ability to store contents in these circumstances in a forensics container in a vendor agnostic, non-proprietary forensic format is critical.

Today, these exports are typically done in either archive formats like .zip, .rar, or .tar. These exports can be problematic. For example, when data is exported in a zip and moved to another system, the MAC times on the folders may change. Now this can be overcome using a log file that contains metadata regarding the initial contents of the file. However, there is value in having a true forensic container to ensure integrity of the contents.

Additionally, the AFF4-L format has potential to be used when contents are exported to be shared with other parties like counsel. This would allow for the contents to maintain forensic integrity. As a vendor-neutral, open source standard, this format can also serve as a method of sharing and moving data between different tools.

There are potential other uses for the AFF4-L format. Some other uses can include serving as a forensic container for logical mobile images. Use of an open standard for imaging of mobile devices will allow for those forensic images to be used in multiple tools instead of only being processed by the tool that created a proprietary image type. Additionally, the AFF4-L format could potentially be used with Load files in the future for providing data to eDiscovery platforms.

The Format of the Future?

There is a great need by the forensic community to utilize an open-source container for forensic images such as AFF4 for physical images and AFF4-L for logical images. Use of the AFF4 and AFF4-L formats has the potential to increase the interoperability of tools. The image format is created and improved upon with community input and has been peer-reviewed by academia. The format is feature rich and easy to read. Because AFF4 and AFF4-L utilize plain-text TTL (.turtle) files, the contents of a hierarchical file system can be navigated by a human, not just a machine. Most importantly AFF4 and AFF4-L provide strong fast integrity verification.

Now is the time for the forensic community to begin wide acceptance of this open-source, non-proprietary format that is tested, validated, peer-reviewed open to anyone for both physical acquisition and logical images and exports.

Please feel free to reach out to us, jessica.hyde@magnetforensics.com or kevin.brightwell@magnetforensics.com with your comments or questions about our AFF4 integration or our thoughts on the future of AFF4-L. We would love to hear your thoughts.

AFF4 and AFF4-L references

Cohen, M., & Schatz, B. (2010). Hash based disk imaging using AFF4. Digital Investigation, 7. doi:10.1016/j.diin.2010.05.015

Schatz, B. L. (2019). AFF4-L: A Scalable Open Logical Evidence Container. Digital Investigation, 29. doi:10.1016/j.diin.2019.04.016

Cohen, M., Garfinkel, S., & Schatz, B. (2009). Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow. Digital Investigation, 6. doi:10.1016/j.diin.2009.06.010

Schatz, B. L. (2015). Wirespeed: Extending the AFF4 forensic container format for scalable acquisition and live analysis. Digital Investigation, 14. doi:10.1016/j.diin.2015.05.016

Schatz, B., & Cohen, M. (2010). Refining Evidence Containers for Provenance and Accurate Data Representation. Advances in Digital Forensics VI IFIP Advances in Information and Communication Technology, 227-242. doi:10.1007/978-3-642-15506-2_16

Shatz, B. (2015). U.S. Patent No. US10354062B2. Washington, DC: U.S. Patent and Trademark Office. Aff4. (n.d.). Aff4/Standard. Retrieved June 26, 2020, from https://github.com/aff4/Standard

The post AFF4 & AFF4-L — An Open Standard for Forensic Imaging appeared first on Magnet Forensics.

Magnet AXIOM 4.2 and Magnet AXIOM Cyber 4.2 are now available for download! Get it now within AXIOM or over at Customer Portal.

AXIOM 4.2 brings AFF4 support, the ability to ingest Skype Warrant Returns, and new WhatsApp data collection options, along with customized Targeted Locations and support for Office 365 Unified Audit Logs in AXIOM Cyber 4.2.

If you haven’t tried AXIOM yet, request a free 30-day trial here.

AFF4 Forensic Container Support

AFF4 (Advanced Forensics File format 4), an open source format designed for the storage of digital evidence and data, is now supported in AXIOM 4.2—including support for ingesting and processing AFF4 Physical Images.
The AFF4 format offers several advantages including:

Vendor agnostic
Open-source: Proof that AFF4 is 100% forensically sound
Multiple factors of compression: Can configure algorithms to balance space vs. speed
Block hashing: AFF4 images allow for extremely fast verification via the use of block hashing
Metadata: Configurable and fully customizable, allowing vendors to add more metadata as they prefer

For more information on AFF4, read this blog from Jessica Hyde.

Ingest Skype Warrant Return Data

AXIOM 4.2 can now ingest Skype Warrant Return data, in addition to our existing Warrant Return support for Apple, Google, Facebook, Instagram, and Snapchat. AXIOM will parse chat contents, as well as information about the target account into artifacts for examiners

For more information, check out this blog from Tarah Melton.

Easily Collect WhatsApp Data

WhatsApp continues to be one of the most popular messaging platforms in the world. This feature is designed to help you acquire WhatsApp data from mobile devices that are unlocked and connected to a network.

AXIOM will present the you with a QR code which must be scanned from the WhatsApp application on a mobile device containing the messages to be collected. From there, you will be presented with a list of conversations and can choose which messages to be acquired and processed within AXIOM.

The device doesn’t need to be physically connected for data collection, nor you need to keep the device – AXIOM automatically captures the selected conversations.

For more information, watch a how-to video from Tarah Melton:

Review Categorized Media by Source

The Media Categorization summary now also includes a section that summarizes the media found in the case per evidence source. The categorized media is summarized for each category based on the case.

In situations where multiple media evidence items might be across different sources, you can now easily see what media was found where.

New in Magnet AXIOM Cyber: Customize Targeted Locations

Locations can consist of one or more paths to a specific file or all contents of a folder. Paths are normalized to support collection on both Windows and Mac and support a wildcard for the user directory.

Check out Trey Amick’s blog to learn more how to customize Targeted Locations.

AXIOM Cyber: Office 365 Unified Audit Logs

Magnet AXIOM Cyber will now offer the ability to import and parse Microsoft Unified Audit log files generated using the Microsoft Security and Compliance Center (MSCC).

Read Trey Amick’s blog Expanded Office 365 Unified Audit Log Capabilities with AXIOM Cyber to learn more!

AXIOM Cyber: Full RAM Collection Performance Improvements

Magnet AXIOM Cyber will now collect full RAM 40-60% faster (depending on the amount of RAM being collected).

New Artifacts

Windows Credentials (Windows)
Microsoft Edge (iOS)
Duck Duck Go (Android)
Private Photo Vault (Android)
RDP Bitmap Cache (Windows)

Artifact Updates

Zoom (Windows/Android/iOS) (Learn more in this blog from Tarah Melton)
Photos (iOS)
Tinder (Android)
Signal (iOS)
Shellbags (Windows)
Houseparty (iOS)
Burner (Android)
Discord (iOS)
TextFree (iOS/Android)
Android Messages (Android)
Messenger (iOS)
Google Duo (Android)
Best Secret Folder (iOS)
KnowledgeC (iOS)

Get Magnet AXIOM 4.2 and Magnet AXIOM Cyber 4.2 Today!

If you’re already using AXIOM, download AXIOM 4.2 or AXIOM Cyber 4.2 over at the Customer Portal. If you want to try AXIOM 4.2 or AXIOM Cyber 4.2 for yourself, request a free trial today!

The post Updates in Magnet AXIOM 4.2 Include Support for AFF4, Skype Warrant Returns, and WhatsApp appeared first on Magnet Forensics.

As a follow up to our recent statement on the death of George Floyd and the broader issue of racial equality and the justice sector, we want to thank the DFIR community for your feedback and recommendations on how we can best contribute to this important cause and help drive positive change.

As mentioned previously, Magnet Forensics will be making donations to charities that support reform of the justice system towards racial equality. We took some time to consider the feedback received to ensure our choices align to organizations and programs that we believe will make a tangible impact.

We are proud to now share that, in the United States, Magnet Forensics we will be donating to the Center for Policing Equity. We were struck by their bold call to action in light of recent events: “Right now, finding justice feels a long way off. And measuring justice feels impossible. Let’s do the impossible.” Beyond their ambitious goals, we are pleased to support their data-driven approach and constructive dialogue with police agencies to achieve meaningful reforms.

Within Canada, we will be making a donation to the Black Legal Action Centre. This law clinic is focused on low-or-no income members of the Black community. They provide legal support to communities in need with a broad justice focus including support in proceedings related to employment, housing education, human rights, and police complaints.

We will also be donating to Friendship Centres, who provide services to improve the quality of life for Indigenous persons living in urban environments. We will be steering our funding towards their justice programs which include support to indigenous youth to ensure they’re treated fairly through the court process when charged with a criminal offense.

In addition to these financial donations Magnet will be donating our software, in-kind, to organizations with financial need, whose activities align with our mission to “Seek Justice, Protect the Innocent”. Eligible organizations will include public sector agencies as well as charities/not-for-profits who are similarly committed to driving justice sector change in a tangible way. A formal portal to request such support will be online later this year.

Adam Belsher (CEO) & Jad Saliba (Founder & CTO)

The post Our Contributions to the Reform of the Justice Sector and Racial Equality appeared first on Magnet Forensics.

Recently, our team helped a digital forensics unit that might be in a familiar situation as you. The Head of Digital Forensics at a law enforcement agency, came in early on a Monday morning to prepare for the week. He opened his inbox to find an email from his manager, the head of Forensics, about his proposal to improve the productivity of the digital forensics’ lab.

His request for additional funding for new lab hardware (such as more RAM, SSDs, faster CPUs) and increased headcount was declined.

After a follow-up meeting that afternoon, it was made clear that pressure from the units his lab supports needed a more drastic improvement in service levels, including guaranteed turn-around times, without significant investments in new hardware and headcount as proposed.

If you’ve tried to increase the efficiency of your digital forensics’ lab using a similar approach, then you know that it may temporarily alleviate the pressure on your lab, but that it’s become impossible to keep up. The volume of data, devices and cases involving digital evidence is continually increasing.

Reimagining how your resources are allocated, and your current processes and workflow, will allow you to unlock the capacity currently in your lab.

Here are four tips to help get you started:

Record and Analyze Your Processes to Target Inefficiencies

Your first step towards identifying where your main inefficiencies exist, should involve recording and analyzing current processes and workflows. The goal is to pinpoint where the most time and resources are currently dedicated as well as where there’s the most downtime. Helpful questions to ask as part of this exercise are:

How much downtime do you have in between each step of the workflow?
Where do your examiners spend the most time? Is it on imaging and processing? Or where their skills are best applied at analysis and reporting?
How long does it take for your lab to turn-around a case back to investigators?

You can uncover valuable insights by requesting that each examiner record when they start and stop each part of the workflow using a simple tracking mechanism like an Excel sheet.

Standardize Your Workflows

Processing the same types of cases in a different way every time by different examiners creates variability in time-to-evidence as well as potential quality issues.

Standardize your procedures, processes and workflows for your lab’s common case types such as child abuse investigations, fraud, and serious and organized crime investigations.

By standardizing your workflows, you’ll be able to remove the variability between how each examiner processes a case. A repeatable workflow will help you to identify additional opportunities for efficiency improvement.

Augment Your Workflow with a Quick Triage Scan First

Performing a full scan takes a considerable amount of time.

This prevents you and your examiners from getting evidence to your investigators fast, delaying the investigation and creating unnecessary risk for the agency and community.

Augment your workflows to include a quick triage step first. By getting a first pass at the evidence to your investigators faster, they can help to identify key areas for your examiners to focus on. This will save valuable time at the outset of the workflow, as well as optimizing where time is spent subsequently on a deeper dive.

Leverage the Power of Orchestration & Automation Technology

Your analysis may have uncovered significant downtime between key steps in your standardized workflow.

Or, you may have uncovered that a significant amount of your skilled examiner time is spent on lower value tasks.

Also, while you may be using your own custom scripts to automate certain tasks, this doesn’t solve the problem of a creating a workflow that utilizes all your hardware assets as efficiently and effectively as possible.

By leveraging orchestration and automation technology, such as Magnet AUTOMATE, you can scale up your existing resources and processes without drastic investments in new hardware. Magnet AUTOMATE has already helped labs achieve incredible results such as guaranteeing a turnaround time of 48 hours to investigators.

Work Smarter, Not Harder

By analyzing and identifying your current workflow, you can uncover opportunities to streamline your lab’s processes and workflows to create efficiencies today while charting a path to scaling up those processes with technology.

Do You Need to Optimize and Find Efficiencies in Your Lab?

Contact sales@magnetforensics.com and let us help you implement an enhanced, modern approach to digital forensics.

The post Tips to Improve Your Digital Forensic Lab’s Efficiency appeared first on Magnet Forensics.

Within the macOS operating system, Safari is the built-in web browser that drives user’s interactions with the web. Surprisingly to many, Safari is often seen as the second most used browser as collected by report user agents behind Google’s Chrome. Safari has some very interesting behaviors when it comes to the macOS platform. While many users may keep the default options, it’s the default options which can cause a lot of problems for the forensic examiner.

First, let’s start by examining the default preferences within the Safari browser. From a live-running system, users can access this by pressing Command+, while the Safari browser is in focus. With mac 10.15, the following screenshot details some of the default preferences set by the operating system:

Two of these in particular can vex an examiner during an investigation. First, the “Remove download list items” is set to ‘After one day.’ As if the Downloads.plist file wasn’t difficult enough keeping only the past 20 downloads, it seems that after one day, the downloads list will also be cleared as well. While there are other ways to track files that were downloaded by Safari (here’s looking at you Quarantine Events and Extended Attributes), that’s a topic for another blog post.

The second vexing listing in the screenshot shows that the checkbox for ‘Open “safe” files after downloading’ is checked by default. This makes tracking attribution of a file difficult for an examiner as a user could claim “Hey, I never opened that file” even though attributes show a different story. Maybe the user didn’t open the file, the system actually triggered it for them after considering the picture, PDF, archive, etc. is considered “safe.”

Other settings of note are that Safari will automatically remove the history after one year, point the downloads to the ~/Downloads directory of the logged-in user, and will have the default home page be set to Apple’s own. The most interesting thing is that the file that tracks these preferences actually won’t store records about many of these preferences if the defaults are still set!

Speaking of the file that contains them, users can find this file in the “com.apple.Safari.plist” file found within the ~/Library/Application Support/Containers/com.apple.Safari/Library/Preferences folder. This plist will contain several important records for the user’s preferences but it’s actually the absence of some listings that are telling in itself.

AXIOM will automatically parse this property list file to recover the system or user-set preferences under the Safari Preferences artifact.

Because some of the keys such as the default search engine, download location, remove download frequency, and clear history are actually not present in the property list file unless they have been changed by the user, AXIOM will detect the missing keys and populate the artifact with the default values.

There are additional preferences that may be of interest to the examiner than what are stored within just this file. Because Apple couldn’t make it easy for us, right?

There are several preferences which can be found within the “Websites” section of the Safari Preferences that could pose importance to the examiner. For one, when discussing downloading a file from a website, a pop up box will first prompt the user to either Allow or Deny that specific website permission.

By default, users will be asked on each website. There is however a global preference that the user can set and change it. Some (but not all) of these preferences can be tracked by a database within a different area of the Safari structure. Under the PerSitePreferences.db file which can be found in the ~/Library/Safari directory, examiners can track information on whether or not a file has prompted and has been allowed or denied the ability to download a file.

The ability to track if a site is allowed to display pop-up windows, can download files, or can use geolocation are set within this database. The numbers are tracked back to the following values:

Listed Preference in Safari	Listed in Database
ALLOW	0
ASK	1
DENY	2

While these are some of the more important preferences to the examiner, others such as if a site is allowed to display notifications in the notification center can be tracked in yet a DIFFERENT file. In the ~/Library/Safari directory, a UserNotificationPermissions.plist can show if a user has accepted that preference or denied it for a specific site.

As more preferences raise more questions, these above mentioned locations should be a good jumping off point for most investigators. Until this, we’ll keep searching for more information to find these preference values and their meaning!

The post Pontificating on the Perplexing Preferences Proliferated by Safari appeared first on Magnet Forensics.

Automation and orchestration solutions can help you increase your lab’s efficiency so that you process more cases faster and improve service levels to your agency — but only if you’re ready.

While automation and orchestration are not new concepts — in fact, a level of automation is already integrated into Magnet Forensics tools, such as Magnet AXIOM — utilizing automation and orchestration within the lab to create an efficient and seamless workflow is relatively new. That’s why it may be challenging to tell if your lab is ready to utilize this technology.

Here are four signs that your digital forensic lab is ready to utilize the power of automation and orchestration:

1. Your Digital Forensics Lab Is Struggling to Turnaround Cases in a Timely, Efficient Manner

When a case is submitted to your digital forensics’ lab, how long does it take to return it to the investigator? The longer critical evidence sits in your queue, the more that risk increases as criminals continue to walk free in your community.

If your current backlog is increasing more and more by the day, it’s time to consider a new approach to digital investigations by leveraging technology. Automation and orchestration can alleviate the burden on your skilled examiners who are oftentimes repeating the same tasks over and over where in fact technology would be best suited to moving the case forward. In fact, with Magnet AUTOMATE, a large metropolitan law enforcement agency in the UK was able to guarantee a turnaround time of 78 hours.

2. You’ve Invested in Modernizing Your Lab’s Infrastructure, but Productivity Is Still Low

You’ve recently modernized your lab’s infrastructure — congratulations! You may have purchased new hardware to improve your processing speeds, increased your networking speeds, or increased your storage (i.e. more RAM, SSDs, faster CPUs). You may have also audited and upgraded your digital forensics toolkit to ensure that your examiners have world-class software to get the job done right and faster.

But if your new hardware and software sits idle in the lab overnight and on weekends, then you’re not utilizing these (likely expensive) assets to their full capacity. Naturally, you can’t have your examiners returning to the lab on evenings and weekends to kick off the next step in the workflow.

This is where orchestration and automation can help you maximize the ROI on your infrastructure investments. By queuing up cases to process across available workstations seamlessly and efficiently, you can image and process evidence overnight or on the weekend — there’s no need for an examiner to come into the lab to click “next” on a tool. Magnet AUTOMATE allows you to seamlessly integrate any forensic tool into your automated workflow (even custom scripts that your expert examiners have meticulously created) as well as process and create exports for multiple items of evidence in parallel instead of completing one at a time. Evidence items can then be merged into a single case for evidence review.

3. Standard Operating Procedures Are in Place, but Deviations (And Errors) Still Occur

When consistency and case quality matter, even the smallest of errors can result in a case being dismissed in court. An outcome nobody wants to see.

Fortunately, automation allows you to create a consistent and automated workflow to handle the imaging and processing part of your workflow. The result? Human errors are eliminated, and a high-quality, consistent, analysis-ready case is delivered to your lab’s stakeholders each and every time. With Magnet AUTOMATE’s workflow builder, you and your expert examiners can visually design your lab’s workflows using an easy drag-and-drop interface that’s highly configurable and flexible. Now, even forensic technicians or junior members of the team can kick off complex workflows, allowing expert time to be spent where it matters most – on the analysis and reporting.

4. Your Examiners Are Wasting Valuable Time on Repetitive, Manual Tasks

Does it ever feel like you’re working harder than ever but not making a meaningful dent on the real work that needs to get done? If your examiners are spending most of their time on manual, repetitive tasks that follow a repeatable workflow, then they’re likely feeling this way too.

Being burdened with manual tasks that do not take full advantage of their expert skillset is not only wasteful of valuable hours, it results in less time spent where they add the most value- and ultimately fewer cases making it to court fast enough. Also, less time is spent sharpening analysis skills which means they’re likely to need to use more of their personal time to keep their analysis skills up to speed leading to burn out, job dissatisfaction, and turnover. By integrating orchestration and automation into your lab, you can let technology handle the repetitive tasks at machine-speed, while allowing your examiners to focus where their skills matter most, such as complex analysis and reporting.

If most of these signs resonated with you, it’s likely time to implement an automation and orchestration solution, such as Magnet AUTOMATE.

Interested in Learning More About Magnet AUTOMATE?

Watch our on-demand webinar “Unlock Capacity & Improve Service to Your Agency with Magnet AUTOMATE” to learn more about the solution, key benefits already realized by law enforcement agencies like yours, and a demo of Magnet AUTOMATE in action.

Ready to Find Efficiencies in Your Lab with Magnet AUTOMATE?

Contact sales@magnetforensics.com and let us help you implement an enhanced, modern approach to digital forensics.

The post 4 Signs Your Digital Forensics Lab is Ready for Automation & Orchestration appeared first on Magnet Forensics.

Media vault apps are an interesting niche in the mobile app market – there’s a lot of them out there, and they often describe (in grandiose terms) just how securely they handle your data. They encourage users to trust them with their most sensitive media and so their appeal for use with illegal content is unsurprising.

In a law enforcement context, there are certain types of investigations, such those involving CSAM, where their presence on a device can be crucial evidence. I encountered them as an examiner, and as I embarked on the world of mobile app reversing last year discovered they could be an excellent learning aide as well.

The Difference With Media Vault Apps

What is it that makes these apps different? Unlike other app genres where cryptography is expected (which have only become more commercialized over the years) many popular vault apps were created by indie developers – either individuals or very small companies – who likely don’t have much experience implementing sound cryptography. This can lead to various outcomes; the most disappointing of which being the app doesn’t encrypt media at all.

Another possibility is that the app does encrypt, but relies on using a third-party library to do so. These libraries can actually be pretty secure, but don’t always provide any specific guidance on how to address critical elements such as key storage, derivation of a user’s PIN/password into an encryption key of the appropriate length, and so on. So developers tend to search the internet for an easy answer. A hash (or “digest”) function like SHA-256 is a convenient solution because it translates input data of any length into a 32 byte output which is the size needed for AES. The problem there is that computers have gotten really efficient at computing SHA256 digests! So much so that you can perform huge numbers of them in a very short time. If you couple that with questionable design decisions (such as limiting PINs to be a max of 4 digit numeric, a keyspace of only 10,000) and you’ve got yourself one highly vulnerable cryptographic implementation.

(For your inner geek, a common mitigation for this is to perform the digest function repeatedly on itself along with some salt. The number of times it is repeated can be adjusted by the developer. It can be anywhere from a few thousand to hundreds of thousands of times. In sufficient numbers, this can bring bruteforcing speeds to a crawl, without creating any unreasonable delay on a single attempt for legitimate users just trying to authenticate. See PBKDF2 on Wikipedia for more details).

No Encryption Key or PIN Required When Using AXIOM 4.0 or Higher

In April, as the world descended into pandemic-related madness, I connected with a customer in law enforcement working a file involving an extraction from an iPhone. The examiner had located a large number of images and videos encrypted using Private Photo Vault (PPV). The media was strongly believed to be CSAM as the many album titles were not encrypted. In this case, the device keychain didn’t store the full encryption key, so additional reversing work would be needed if the examination were to move forward.

When I wrote my blog last spring, I speculated it may be possible to decrypt the media without any keychain content at all. This particular case provided ample motivation to see whether that hypothesis was accurate. If you read our AXIOM release notes, you may already know the outcome! Private Photo Vault on iOS came out with Magnet AXIOM 4.0, and Android in the latest AXIOM version 4.2, What you may not know is that no encryption key or PIN is required. The PPV artifact will identify the encryption key and PIN for you automatically provided you have the artifact enabled.

I am so thankful the customer thought to reach out to let us know about the situation. Not only were we able to directly assist on an important file, now AXIOM can assist other customers in a similar situation – which we’ve had great feedback on already for PPV. I strongly encourage you after reading this to do the same if you encounter an unsupported app! Reach out to your tool vendors or the DFIR community – chances are high you aren’t the first one to run into that particular app. You never know what could result from just asking the question!

If you’re not already using AXIOM, you can request a free 30-day trial today.

Feel free to reach out to me at mike.williamson@magnetforensics.com or @forensicmike1 on Twitter.

The post Vault Apps, Forensic Examinations, and Magnet AXIOM appeared first on Magnet Forensics.

We are unbelievably lucky to have such amazing support in the DFIR community. Thanks to your nominations and votes, we’re once again honored to take home the coveted DFIR Team of the Year and Commercial Tool of the Year awards!

Forensic @4cast Award: #DFIR Team of the Year

WINNER…

Magnet Forensics – @MagnetForensics #DFIRSummit pic.twitter.com/7e7oHm0l5n
— SANS DFIR (@sansforensics) July 17, 2020

Forensic @4cast Award: DFIR Commercial Tool of the Year

WINNER….

Magnet AXIOM @MagnetForensics #DFIRSummit pic.twitter.com/IhAAo5ELF4
— SANS DFIR (@sansforensics) July 17, 2020

Though we didn’t get to enjoy picking up the award in person as we had in previous years, we’re happy to have gotten to receive the award virtually from Lee Whitfield, who has spent countless hours organizing, promoting, and presenting the awards.

On behalf of everyone at Magnet Forensics, thank you Lee for all the work you put into the Forensic 4:cast Awards!

So proud of the Magnet team and special thanks to our customers for giving us the privilege of serving alongside you. https://t.co/tWmKSNb1JY
— Adam Belsher (@AdamBelsher) July 17, 2020

Announced at this year’s (virtual) SANS DFIR Summit, our acceptance looked a little different this year, but the fact remains that we’re extremely grateful to every one of our customers and friends for taking the time to nominate and vote for us this year. In case you missed it, we compiled a few of the great things you’ve been kind enough to share with us recently:

Thank you again for all of the support! If you want to reminisce on Forensic 4:cast Awards past, you can catch up on last year’s awards here.

The post Magnet Forensics is Proud to Once Again Take Home Two Forensic 4:cast Awards! appeared first on Magnet Forensics.

A brand new feature in Magnet AXIOM 4.3 is a better way to analyze data from JSON files! Now when reviewing data in the File System view, you can utilize a new JSON Viewer to quickly review data structured in a .json file.

JSON (JavaScript Object Notation) is a text-based file with formatted data structures that is often times used for data transmission and storage. Read more about the JSON format here!

When you come across json files in your forensic analysis, AXIOM will now display this data structure in the File System view in an easy to navigate view! As you can see in the screen shot below, each of the sections can be collapsed or expended individually, or you can use the Collapse All/Expand All link at the top to manipulate your view.

An additional feature as part of the JSON viewer is a searching capability. Examiners will have the ability to search for strings or regular expressions through the json file. As you can see below, any hits from your search will be highlighted in yellow and can be easily identified in the file from the search box with the up and down arrows.

If you ever need to analyze JSON files in your case, hopefully the new JSON Viewer in Magnet AXIOM can assist!

If you’re already using AXIOM, be sure to upgrade to the latest version from the Customer Portal to get all the latest artifact support, including support for Zoom! For those who want to give Magnet AXIOM a try,  request a free trial today.

The post Exploring the New JSON Viewer in Magnet AXIOM appeared first on Magnet Forensics.

Magnet AXIOM 4.3 and Magnet AXIOM Cyber 4.3 are now available — upgrade today within AXIOM/AXIOM Cyber or over at the Customer Portal.

AXIOM 4.3 introduces an all-new JSON viewer along with new & updated artifacts — including Microsoft Teams, Instagram, Chrome, and Uber. Within AXIOM Cyber 4.3, you can now also more reliably acquire data from Microsoft Azure.

If you haven’t tried AXIOM or AXIOM Cyber yet, request a free 30-day trial here.

New in AXIOM & AXIOM Cyber: New JSON Viewer

AXIOM 4.3 includes an all-new JSON viewer, making it much easier for you to review the contents of JSON files found within your digital evidence.

The new JSON viewer features the ability to view JSON files in an easier-to-read format, search and find the content within the JSON file, highlight searched values and expand and collapse sections of the file to zero in on important evidence.

For more information on our new JSON viewer, read this blog from Tarah Melton.

New in AXIOM Cyber: Improved Reliability of Acquiring Data from Microsoft Azure

Don’t let the trail of investigations like data exfiltration or fraud stop when data is stored in Microsoft Azure. We’ve improved the reliability of our support for downloading virtual images from Microsoft Azure. Now with AXIOM Cyber, you can more reliably process and analyze data from Azure virtual machine images.

See it in action in this video from Jamie McQuaid:

New and Updated Media Vault Apps Artifacts

Media vault apps have become increasingly important in LE investigations, where their presence on a device could indicate an attempt to conceal crucial evidence. AXIOM 4.3 includes a new artifact for the Secret Photo Vault app for iOS, as well as updates to the Best Secret Folder for iOS artifact.

Check out this blog from Mike Williamson for more on investigating vault apps with AXIOM: Vault Apps, Forensic Examinations, and Magnet AXIOM.

Mid-Year AXIOM Features Round-Up

2020 has been an exciting year so far for us here at Magnet Forensics, with the introduction of AXIOM 4.0 as well as our new AXIOM Cyber platform, a forensics tool purpose-built for businesses.

Our blog here recaps all the great innovations we’ve added to both AXIOM and AXIOM Cyber so far in 2020: A Mid-Year Round-Up of Innovations in AXIOM.

New Artifacts

Apple Health – Heart Rate (iOS)
Bolt Browser (iOS)
Android Digital Wellbeing (Android)
Secret Photo Vault (iOS)
Microsoft Teams (Windows)

Artifact Updates

Best Secret Folder (iOS)
Chrome (iOS)
Duck Duck Go (iOS)
Google Duo (Android, iOS)
Google Hangouts (Android, iOS)
Instagram (iOS)
Installed Applications (iOS)
Private Photo Vault (iOS, Android)
Text Plus (iOS)
Uber (iOS)
Voice Memos (iOS)

Get Magnet AXIOM 4.3 and Magnet AXIOM Cyber 4.3 Today!

If you’re already using AXIOM, download AXIOM 4.3 or AXIOM Cyber 4.3 over at the Customer Portal. If you want to try AXIOM 4.3 or AXIOM Cyber 4.3 for yourself, request a free trial today.

The post Find Evidence Faster with a New JSON Viewer in Magnet AXIOM 4.3 appeared first on Magnet Forensics.

2020 has been a challenging year so far to say the least. As everyone tries their best to adjust to our new environment, we at Magnet have been focused on continuing to innovate and deliver value for our customers and partners.

We’ve introduced many new features with Magnet AXIOM and Magnet AXIOM Cyber over the past 6 months, along with over 100 new and updated artifacts to help you do more in your investigations.

Let’s take a look at what’s new in AXIOM so far in 2020.

Q1 2020: AXIOM 3.10 and 3.11

The first quarter of 2020 brought several important new features in AXIOM, including .dar file support for images from Cellebrite Advanced Services or devices jailbroken with checkra1n, new Device Identifiers artifacts, and Android Quick Acquisition, along with improvements to UBER and WhatsApp acquisitions, and SnapChat warrant returns.

We also added over 20 new and updated artifacts, including Signal, Instagram, and Twitter.

January also saw the introduction of Magnet AXIOM Cyber, an innovative new solution purpose-built for organizations that need to perform remote acquisitions, as well as collect and analyze evidence from cloud sources, computers and mobile devices.

May: AXIOM 4.0

In May, we proudly unveiled AXIOM 4.0, our next generation release that brought with it many substantial additions and improvements to the AXIOM platform:

Export Revamp: more control over your exports + new Export Templates
Faster Filtering: up to 5x faster search returns
Scan Summaries with Exception Reporting: see scan details for greater reproducibility and confidence
Find Similar Pictures (CBIR): advanced image recognition to quickly find related picture evidence

AXIOM Cyber 4.0 included several new features to enhance corporate investigations, including remote collection from Macs and Azure VM acquisition, as well as a new Cloud license server option.

June and July 2020: AXIOM 4.1, 4.2, and 4.3

We’ve continued to build more value into AXIOM since the 4.0 release. AXIOM 4.1 included further filtering speed improvements, enhancements to our Find Similar Pictures feature, and more control over artifact exports.

AXIOM 4.2 was another significant release, introducing support for AFF4 forensic containers, Skype warrant returns and WhatsApp QR code-based acquisition, as well as the ability to review categorized media by source and new Zoom artifacts.

AXIOM Cyber 4.2 included powerful new updates as well, including the ability to import and process Office 365 Unified Audit Logs, customize targeted locations for collection, and up to 60% faster collections of memory from Windows devices.

And today with AXIOM 4.3, we’ve included a new JSON viewer to simplify your evidence searches involving JSON files, alongside Azure acquisition improvements in AXIOM Cyber 4.3 and new artifacts for Android Digital Wellbeing, Microsoft Teams, Apple Health, Secret Photo Vault, and Bolt Browser.

Stay tuned for more exciting AXIOM innovations throughout the rest of 2020!

The post A Mid-Year Round-Up of Innovations in AXIOM appeared first on Magnet Forensics.

With Magnet AUTOMATE 2.3, you can now make mobile investigations more efficient by decrypting mobile images prior to processing in AUTOMATE workflows.

Many mobile images and backups are encrypted, limiting the data that can be extracted and analyzed by examiners. Now with Magnet AUTOMATE, examiners can save even more time on their mobile investigations by initiating the decryption of mobile devices and mobile backups directly from the AUTOMATE “Create a Case” user interface.

For any Android and iOS mobile device image or backup that is encrypted, an examiner will be able to create a case, add the encrypted device as an evidence source, and specify the password or password list that should be used to decrypt the device.

These workflows can help make your mobile investigations easier, along with our recently introduced Watch Folders in AUTOMATE 2.2 where you can integrate any acquisition tool, including those without a command line interface, into your automated workflows. This means more of your toolkit can be synced together in one platform, saving you even more time and costs by reducing manual intervention by examiners and ensuring more of your forensic equipment is efficiently utilized 24/7.

Additionally, AUTOMATE now integrates AXIOM 4.3, introducing new artifacts that help you get to your evidence faster. Check out our blog post on AXIOM 4.3 to learn more about the new artifacts and features we introduced.

Not Sure Where to Start to Improve Your Lab’s Efficiency?

If you’re needing to improve your lab’s efficiency, knowing where to start can be challenge. In our blog post “Tips to Improve Your Digital Forensic Lab’s Efficiency,” we offer you several tips and recommendations to help you get started.

Is Your Lab Ready for Automation and Orchestration?

Automation and orchestration solutions can help you increase your lab’s efficiency so that you process more cases faster and improve service levels to your agency — but only if you’re ready. However, it may be challenging to tell if your lab is ready to utilize this technology.

Our blog post “4 Signs Your Digital Forensics Lab is Ready for Automation & Orchestration” explores key signs that indicate when your lab is equipped to use technology to scale-up.

Want to Dive Deeper into AUTOMATE and See It in Action?

If you’re interested in learning more about AUTOMATE and seeing it in action, watch our on-demand webinar “Unlock Capacity & Improve Service to Your Agency with Magnet AUTOMATE” as we explore:

Modern digital investigation challenges
How Magnet AUTOMATE can help you unlock capacity and improve service to your agency by getting evidence into the hands of your investigators faster
What’s new with Magnet AUTOMATE, with a focus on mobile-capable workflows, including a demo of the new Watch Folders workflow.

Head over to the Magnet AUTOMATE page to learn more about AUTOMATE and to request more a demo today.

The post More Efficient Mobile Workflows Now in Magnet AUTOMATE 2.3 appeared first on Magnet Forensics.

Hi! This is Jessica Hyde, Forensics Director here at Magnet Forensics. I recently received an email regarding the data locations for the artifacts I spoke about in the Chromebook forensics presentation at the Magnet Virtual Summit, Taking a Byte of Chromebook Analysis.

The ask was for a summary list of where to find the artifacts discussed in that presentation. I thought it would make sense to share that list here as a reference document. There are multiple locations listed for each artifact type.

Browser History

home/shadow/(GUID)/mount/user/history

home/chronus/user/history

home/chronus/u-(GUID)/history

home/user/(GUID)/history

home/(username)/.config/chromium/Default/history

Browser Cache

home/shadow/(GUID)/mount/user/Cache

home/chronus/user/Cache

home/chronus/u-(GUID)/Cache

home/user/(GUID)/Cache

home/(username)/.config/chromium/Default/Cache/data_1

Browser History – Current Tabs

home/shadow/(GUID)/mount/user/Current Tabs

home/chronus/user/Current Tabs

home/chronus/u-(GUID)/Current Tabs

home/user/(GUID)/Current Tabs

home/(username)/.config/chromium/Default/Current Tabs

Browser History – Last Tabs

home/shadow/(GUID)/mount/user/Last Tabs

home/chronus/user/Last Tabs

home/chronus/u-(GUID)/Last Tabs;

home/user/(GUID)/Last Tabs;

home/(username)/.config/chromium/Default/Last Tabs

Browser History – Current Sessions

home/shadow/(GUID)/mount/user/Current Sessions

home/chronus/user/Current Sessions

home/chronus/u-(GUID)/Current Sessions

home/user/(GUID)/Current Sessions

home/(username)/.config/chromium/Default/Current Sessions

Browser History – Last Sessions

home/shadow/(GUID)/mount/user/Last Sessions

home/chronus/user/Last Sessions

home/chronus/u-(GUID)/Last Sessions

home/user/(GUID)/Last Sessions

home/(username)/.config/chromium/Default/Last Sessions

Downloads

In the browser history, downloads table, e.g. home/chronos/u-(GUID)/downloads/(filename)

AND

home/shadow/(GUID)/mount/user/Downloads

home/chronus/user/Downloads

home/chronus/u-(GUID)/Downloads

home/user/(GUID)/Downloads

home/(username)/Downloads

Also

downloads_url_chains table in browser history

Extensions

File names are GUIDS. Note – use a search engine for the GUID or check manifest json file (includes name and prefrences)

home/shadow/(GUID)/mount/user/Extensions

home/chronus/user/Extensions

home/chronus/u-(GUID)/Extensions

home/user/(GUID)/Extensions

home/(username)/Extensions

Extensions – manifest.json

home/shadow/(GUID)/mount/user/Extensions/(extensionGUID)/(Version)/manifest.json

home/chronus/user/Extensions/(extensionGUID)/(Version)/manifest.json

home/chronus/u-(GUID)/Extensions/(extensionGUID)/(Version)/manifest.json

home/user/(GUID)/Extensions/(extensionGUID)/(Version)/manifest.json

home/(username)/Extensions/(extensionGUID)/(Version)/manifest.json

Extensions – Sync App Settings

home/shadow/(GUID)/mount/user/Sync App Settings

home/chronus/user/Sync App Settings

home/chronus/u-(GUID)/Sync App Settings

home/user/(GUID)/Sync App Settings

home/(username)/Sync App Settings

Offline Storage

home/shadow/(GUID)/mount/user/gcache/v1/files

home/chronus/user/gcache/v1/files

home/chronus/u-(GUID)/gcache/v1/files

home/user/(GUID)/gcache/v1/files

home/(username)/gcache/v1/files

Note – Files are listed by GUID rather than name and can be associated via gcache/v1/meta/*.ldb

Shell History

home/shadow/(GUID)/mount/user/.bash_history

home/chronus/user/.bash_history

home/chronus/u-(GUID)/.bash_history

home/user/(GUID)/.bash_history

home/(username)/.bash_history

Avatar

home/shadow/(GUID)/mount/user/Accounts/Avatar/Images/(emailadderess)

home/chronus/user/Accounts/Avatar/Images/(emailadderess)

home/chronus/u-(GUID)/Accounts/Avatar/Images/(emailadderess)

home/user/(GUID)/Accounts/Avatar/Images/(emailadderess)

home/(username)/Accounts/Avatar/Images/(emailadderess)

I hope this serves as a quick reference document for your Chromebook analysis. If you are looking for acquisition of Chromebooks, try the method from Daniel Dickerman posted on DFIR Review.

Have you found other artifact locations in your Chromebook analysis? Share them with me by email to jessica.hyde@magnetforensics.com.

The post Chromebook Data Locations appeared first on Magnet Forensics.

In this five-part series, we talk about the benefits of having all your case data within one platform and how it will help your casework—from more simplified yet comprehensive data ingestion to more efficient and thorough analysis.

Part one of the series explores the benefits to having your data in one case file within Magnet AXIOM — the only tool in market that combines cloud, mobile and computer analysis in one case file.

Check out the other parts of the series to learn how to bring your data from different mobile, computer, and cloud sources into AXIOM and how you can get the best analysis and reporting.

Modern digital investigations aren’t just about recovering the data on a computer or a phone – they’re about understanding activity and behavior through digital footprints, and today these footprints are increasingly spread out over multiple devices, applications, and services.

Mobile devices are ubiquitous and multiple device use is the norm, with many people regularly using smartphones alongside other devices like computers, tablets and smartwatches. IoT devices like smart speakers and security cameras have become increasingly popular as well, with more coming into use every day—all potentially valuable new sources of forensic data.

While Windows-based PCs were once the dominant target in digital forensic investigations, Macs are now also gaining traction amongst both consumers and businesses— the ability to conduct effective analysis of both platforms is critical today.

The growing trend towards cloud-hosted apps and data has also made digital investigations today more challenging, but also presents opportunities. For example, important evidence that could previously be retrieved from a mobile device may now be stored exclusively in the cloud instead—this means a mobile image examination alone might yield less evidence but important data is also preserved in the cloud in case of a device wipe.

Fragmentation of forensic data across multiple sources introduces significant complications and risk when conducting digital investigations, making it more difficult and time consuming to ensure you’re building the strongest possible case —one that considers all the relevant pieces of evidence available and the links between them, regardless of the source.

Whether you’re investigating child exploitation or other criminal conduct, the key to making the strongest case possible is the ability to bring all your evidence—whether sourced from mobile devices, computers, or the cloud—into the same case file. When you have all your data together it can then be analyzed and reported on together, helping you quickly build the most comprehensive picture of what happened.

It was with this idea in mind that we designed Magnet AXIOM: a complete, integrated digital forensics platform to help you build stronger cases in less time.

AXIOM is the only tool that can recover, analyze, and report on data from all your sources—mobile, computer, and cloud— in one case file, helping you build a wholistic view of the evidence and how it relates to the case so you can quickly and easily see the entire story.

With Magnet AXIOM, robust mobile, computer, and cloud capabilities, along with powerful analytics tools, are all natively integrated in one platform—without the need to purchase or install extra modules or add-on products.

AXIOM includes the ability to acquire images from devices like smartphones and USB drives, as well as direct ingestion of public and private cloud sources like Google, Facebook, and Twitter. Our free Magnet ACQUIRE tool lets digital forensic examiners quickly and easily acquire forensic images of any iOS or Android device, hard drive, or removable media.

In addition, AXIOM also includes support for a variety of other commonly used acquisition tools and industry standard data formats, including open source standards like AFF4 containers or vendor-specific image formats like .DAR files. This helps ensure that you’ll have the ability to ingest any of the relevant case data you need, regardless of its source or how it was acquired.

Check Out the Other Parts Of This Series

In Parts 2-4 of our series, we review how AXIOM’s complete approach helps you bring all your data from multiple sources—including mobile, computer, and cloud—into one case file.

From there, read the fifth and final post of the series, where you’ll see how having all your data in one case file makes your analysis more efficient and thorough, helping you build stronger cases, faster.

Want to experience the benefits of AXIOM’s complete, integrated platform for yourself? Request a free trial of Magnet AXIOM to get started today!

The post All Your Case Data in Magnet AXIOM: Pt 1 — Why It Matters appeared first on Magnet Forensics.

In the second part of the series, we’ll explain how you can bring mobile data into your case file in Magnet AXIOM — the only tool in market that combines cloud, mobile and computer analysis in one case file.

Then, in Parts 3 & 4, we’ll show you how you can also add computer and cloud data. Be sure to also check out Part 1 & Part 5 of the series to understand why working within one case file matters and how you can get the best analysis and reporting.

Almost every digital forensics investigation today involves mobile devices, and the wide variety of these devices in market—including smartphones, tablets, IoT devices, etc.— can make mobile data recovery, processing, and analysis challenging.

A toolkit approach is therefore essential to ensure you’re able to successfully access the data required for your investigations, regardless of the mobile device at hand—every tool is a little different and there’s never going to be only one tool that does everything you need.

AXIOM was purpose-built with support for a wide variety of mobile image and file types, so you can be confident that you’ll be able to ingest your mobile data into AXIOM regardless of the acquisition tool you use. AXIOM can also support ingestion of multiple mobile images together in the same case, an important feature considering your subjects might have several mobile devices of interest.

Why Use AXIOM in Your Mobile Investigations?

In addition to the advantages of analyzing your mobile data alongside computer and cloud sources outlined in Part 1 of our series, ingesting your mobile images into AXIOM for analysis provides a number of other unique benefits:

AXIOM has the most advanced parsing and carving techniques to surface the most amount of mobile data like chats, pictures, geolocation data, etc. In fact, based on internal testing that we’ve done, we’ve found that AXIOM finds up to 25% more evidence than other tools available.
AXIOM’s Dynamic App Finder (DAF) enables users to discover chat, geolocation, contact information, and web data applications that aren’t yet supported by a native artifact—this helps you find more evidence from unsupported apps, giving you a stronger foundation for your manual validation.
AXIOM also enables you to build custom mobile artifacts of your own. With custom artifacts, you can recover data—messaging, location, browser interactions, etc.—from across an app. And with our new free MAGNET Custom Artifact Generator tool, you can build your own mobile artifacts without needing to know XML/Python or Magnet’s API for custom artifacts!

Let’s take a look at how AXIOM supports the ingestion of images from different tools, as well as direct acquisition from iOS and Android devices.

Mobile Image Ingestion with Magnet AXIOM

Integrated GrayKey Support

GrayKey is the most advanced solution for acquiring images from iOS devices. AXIOM is the only forensics solution directly integrated with GrayKey, for fast and easy ingestion of GrayKey iOS images. AXIOM automatically verifies your GrayKey image hashes, if applicable, and then adds the images to your case.

Mobile Image Support

AXIOM supports the ingestion of images created with a variety of mobile tools via various physical extraction techniques such as JTAG/ISP/Chipoff.

AXIOM includes broad support for a number of file types, including open industry standards like AFF4 as well as vendor specific formats like .ufd and .dar files.

A full list of image file types supported in AXIOM is below:

Cellebrite

You likely have Cellebrite’s UFED as one of the tools in your mobile forensics toolbox for mobile device extractions

If you choose to do your acquisition and first pass of the data with UFED, AXIOM is an extremely powerful solution for analyzing the evidence. Check out our blog on the top 5 reasons why yo u should use AXIOM with your UFED extractions and learn more about how to ingest Cellebrite images from third-party sources into AXIOM here: Loading Cellebrite Images into Magnet AXIOM

Other Mobile Tools

If you use other mobile extraction tools like Oxygen and XRY, read our blogs here to see how you can ingest their images into AXIOM, too:

Mobile Acquisition with AXIOM

AXIOM also includes tools to recover data from both Android and iOS devices, including Logical, File System, and Physical images.

For Android devices running version 2.1 and later, AXIOM can obtain full images from rooted Android devices and quick images from other Android devices.

Supported Acquisition Methods for Android Devices

For iOS devices, AXIOM can obtain a quick image from devices running iOS version 5.0 and later and full images from jailbroken iOS devices.

For more on using AXIOM with iOS devices running up to version 13, check out our blog here.

Supported Acquisition Methods for iOS Devices

For devices with passcodes or encryption enabled, AXIOM has a variety of methods to help you recover device data, including:

Bypass passwords on thousands of Android models
Jailbreaking support e.g. checkra1n

AXIOM can recover and analyze data from many encrypted applications such as Snapchat and Wickr.

AXIOM can also acquire evidence from media devices that support the media transfer protocol (MTP), including digital cameras, feature phones, and iOS and Android smartphones.

In addition to the capabilities built directly into AXIOM, our free Magnet ACQUIRE tool can acquire forensic images of any iOS or Android device.

Check Out the Other Parts Of This Series

In Parts 3 & 4 of this series, we’ll show you how AXIOM brings computer and cloud data into your case.

In Part 5, you’ll see how having all your data in one case file makes your analysis more efficient and thorough, helping you build stronger cases, faster.

And if you missed the first part of our series, catch up here to see why bringing your data into one case file matters.

Want to experience the benefits of AXIOM’s complete, integrated platform for yourself? Request a trial of Magnet AXIOM to get started today!

The post All Your Case Data in Magnet AXIOM: Pt 2 — Bringing in Mobile Data appeared first on Magnet Forensics.

In the third part of the series, we’ll explain how to bring all mobile your data into one case file within Magnet AXIOM—the only tool in market that combines cloud, mobile and computer analysis in one case file.

Check out the other parts of this series to understand why working within one case file matters, how to bring mobile and cloud data into your case, and how you can get the best analysis and reporting.

Magnet AXIOM: The Leading Computer Forensics Tool

The digital forensics industry began with the examination of computer sources—with Windows PCs the dominant platform by far. Magnet was an early pioneer in Windows investigations with our IEF tool, which introduced a revolutionary artifacts-first approach to digital forensics.

Today, computer sources remain a core part of digital investigations alongside mobile and cloud sources, and we’ve evolved our industry-leading computer tools in the Magnet AXIOM platform to provide you with the deepest and most comprehensive computer artifacts support—not only for PCs but also Macs—ensuring you get the most from your data sources.

AXIOM supports a wide variety of industry standard file systems, including NTFS, FAT32/16/12, ExFAT, APFS, HFS+, HFS/X, EXT2, EXT3, EXT4, YAFFS2, and Flash Friendly File System (F2FS).

When a target drive is encrypted, AXIOM includes tools to detect and decrypt those drives. Via our partnership with Passware, AXIOM is able to recover data from drives encrypted with TrueCrypt, Bitlocker, McAfee, and Veracrypt. AXIOM also supports recovery of FileVault 2 encrypted drives for macOS. Our free MAGNET Encrypted Disk Detector tool can quickly and non-intrusively check for encrypted volumes on a computer system during incident response.

In addition to computer hard-drives and memory, AXIOM can also acquire evidence from expandable storage devices like USB and SD Flash drives and more. As another option, our free Magnet ACQUIRE tool lets digital forensic examiners quickly and easily acquire forensic images of hard drives or removable media.

Let’s take a look at how AXIOM supports data acquisition and ingestion from computer and memory sources.

Acquiring and Ingesting Computer Data into AXIOM

Computer Data Acquisition

AXIOM can obtain images from many types of Windows-based external drives that are physically connected to your computer such as HDD, SSD, USB, SD flash drives, and other external drives.

There are four imaging options for Windows-based drives that you can choose from:

Full: entire contents in E01 format
Full: entire contents in raw format
Full: all files and folders
Quick: a logical image of locations that typically contain evidence, such as system files and user profiles, in a single, compressed .zip file.

Computer Image Ingestion

AXIOM can ingest images from a variety of computer imaging utilities, including hardware imagers like Atola TaskForce and software imagers like FTK Imager and MacQuisition, in a wide range of image and file types, listed below:

For Mac computers with Apple’s T2 hardware-encrypted security chip, AXIOM can ingest and process decrypted AFF4 physical images acquired using MacQuisition.

Memory Acquisition

Memory files can contain information about a user’s activity on the computer that might have otherwise been lost when the system crashed or was shut down. AXIOM includes several tools to help you easily process computer memory:

Volatility seamlessly integrated into AXIOM for Windows-based machines
In addition to Volatility, AXIOM can parse multiple artifacts natively such as Internet artifacts, media, and operating system artifacts like prefetch and lnk files.
RAM capture via our free MAGNET RAM Capture tool
Process memory images via our free MAGNET Process Capture tool

Read Part 4 of our series to see how AXIOM can help you incorporate cloud data into your case.

Then, in Part 5 you’ll see how having all your data in one case file makes your analysis more efficient and thorough, helping you build stronger cases, faster.

And if you missed the first two parts of our series, catch up here to see why bringing your data into one case file matters and here to see how AXIOM helps you bring mobile data into your case:

Want to experience the benefits of AXIOM’s complete, integrated platform for yourself? Request a free trial of Magnet AXIOM to get started today!

The post All Your Case Data in Magnet AXIOM: Pt 3 — Bringing in Computer Data appeared first on Magnet Forensics.

In the fourth part of the series, we’ll explain how to bring in cloud data alongside your other data sources into one case file within Magnet AXIOM—the only tool in market that combines cloud, mobile and computer analysis in one case file. .

Check out the other parts of this series to understand why working within one case file matters, how to bring mobile and computer data into your case, and how you can get the best analysis and reporting.

The Growing Importance of Cloud Investigations

Cloud apps, cloud storage, and cloud computing have changed the way people share and store their information. As more apps and services move to the cloud, cloud investigations have become a critical complement to those involving mobile devices and computers—examiners need to rely on device back-ups, chat history, social media, and account information stored in the cloud to round out their investigations.

AXIOM’s built-in cloud capabilities can ingest data from 50+ of the most popular cloud services, including Google, Apple, Facebook, Twitter and more.

AXIOM supports both direct collection of cloud data with credentials from sources like public-facing data from Facebook and Twitter and ingestion of data from external sources like warrant returns and user generated archives like Google Takeout and Facebook.

Let’s take a look at how AXIOM helps you bring in cloud data from a variety of sources.

Cloud Data Acquisition and Ingestion with Magnet AXIOM

Ingesting Warrant Returns

Warrant return data from cloud services can be an invaluable source of evidence in your case. However, searching and analyzing that content can be problematic—the returns are not in a standard format and there are a vast number of artifacts. Even getting access to the returns themselves can also be challenging for forensic investigators. To help ensure you can reliably access and analyze warrant return packages, we work closely with law enforcement practitioners who are the first to know when there are changes to the packages provided by ISPs.

AXIOM includes built-in support for warrant return data from major ISPs, including Google, Apple, Facebook, Snapchat, Instagram, and Skype.

For more on warrant return analysis in AXIOM, see our blog here.

Ingesting User Generated Archives

In addition to ingestion of warrant return packages, AXIOM also supports ingestion of user generated archive files from both Google and Facebook.

These user generated archives can be another valuable source of forensic data. Google Takeout, for example, can help you recover artifacts and information such as Chrome activity, Google Tasks, user activity on a Google account, Google Photos, and Google Keep.

However, like warrant return packages, properly ingesting and parsing user generated archives from consumer cloud services can be challenging due to their constantly changing nature. We work hard to keep pace with the latest versions of these services and deliver timely updates when changes are made to ensure you can get the most from them.

Acquiring Public-Facing Data

To acquire evidence from the cloud, you can sign in to an account from within AXIOM with the subject’s user name and password, or—for some platforms— AXIOM can also leverage and ingest third-party tokens and keychains from mobile devices, allowing investigators to access cloud and social media accounts without requiring a password. You can also acquire publicly available activity from Twitter and Instagram without requiring login information for specific users.

Investigators can choose to download all data from the cloud account or specify a date range to acquire from in order to decrease the amount of time the acquisition takes. Once you’ve logged in to the account, you can also specify which services and content you want to acquire to further reduce your acquisition time.

Read the fifth and final post of the series here, where you’ll see how having all your data in one case file makes your analysis more efficient and thorough, helping you build stronger cases, faster.

And if you missed the first three parts of our series, catch up here to see why bringing your data into one case file matters and how you can bring mobile and computer data into your case:

Want to experience the benefits of AXIOM’s complete, integrated platform for yourself? Request a free trial of Magnet AXIOM to get started today!

The post All Your Case Data in Magnet AXIOM: Pt 4 — Bringing in Cloud Data appeared first on Magnet Forensics.

Magnet AXIOM is the only tool in market that combines cloud, mobile and computer analysis in one case file.

In the fifth part of the series, we’ll show you how integrated analysis and reporting of all your case data in Magnet AXIOM give you a more complete picture. Check out the other parts of this series to understand why working within one case file matters and to learn how to bring your data into AXIOM.

When you can bring all your evidence sources together into in one case file, it’s much easier to piece together how artifacts, people, and devices all relate to each other so you can quickly find the insights you need to move your investigation forward.

With all your evidence in one case file, the speed and efficiency of your overall analysis is greatly enhanced – you can conveniently view any of your sources to find the best starting points for your case, easily search across your sources to help you get to the evidence faster, and apply analytics tools to help you see the complete story of your evidence.

See the Whole Story with Combined Analysis Across Your Sources

Magnet AXIOM includes powerful built-in Analytics tools – including Connections, Timeline, and Magnet.AI – that automatically generate insights across all your sources that might lead to breakthroughs in your case.

And with Magnet AXIOM, these powerful Analytics tools are natively integrated and included at no extra cost.

Connections helps you find and visualize data across all your evidence sources and can shed light on evidence that may never have surfaced otherwise. With Connections, examiners can easily see how an artifact came to exist on a source, or across sources, and understand artifacts’ relationships with one another.

When analyzing multiple sources of evidence, Connections helps tell the story of a file and tie together its existence across your sources, where it went, and how it got there. For example, Connections may be able to tie processes acquired from a memory scan to system data on a hard drive.

Timeline analysis also becomes much more powerful when all your data sources are considered together. AXIOM’s Timeline feature creates a graphical visualization of all your evidence based on all the dates and timestamps available, helping you pinpoint the exact offense or step through exactly how an incident occurred.

AXIOM’s Timeline provides some unique advantages when considering multiple evidence sources. For example, you can easily watch as conversations transition from computer to mobile or to an app that is stored cloud only, helping you see the whole story of the interaction.

Magnet.AI leverages analytics, content-based image retrieval (CBIR), and machine learning technology to search pictures and text-based content to find what you’re looking for. With our CBIR-powered Find Similar Pictures feature, if you find something of interest in one piece of evidence, like picture of a room or object, AXIOM can find it in another across any of your data sources, helping you gather related evidence even faster.

Check out our blog for more on the features and benefits of Analytics in AXIOM.

Faster, More Efficient Examinations

AXIOM’s Case Dashboard is your “in-app” home screen for each case you work, helping you to kick off investigations with a better starting point across all your data sources. Case Dashboard collects high-level summary details of your investigation and evidence sources and their context, organizing your data so you can quickly move to the analysis phase of your investigation.

With AXIOM, you can conduct searches across all your sources using a variety of views and filters – this gives you a consistent approach for your evidence search, helping you get to the evidence faster and with greater confidence that nothing was missed. Our search returns are now up to 5X faster than ever before, saving you even more time, particularly when searching across a large data set.

AXIOM also allows you to perform multiple separate scans with different sources, so you can add one piece of evidence and start analyzing and add other pieces of evidence as they are received (e.g. a smartphone or computer today and warrant return later once it’s approved).

Unified Reporting for More Effective Communication of your Findings

The advantages of examining and analyzing all your evidence together in one case file become even more apparent when it’s time to share the results of your investigation with your stakeholders.

With AXIOM, your reporting is unified across your sources, so stakeholders receive a comprehensive summary of the entire digital investigation and can quickly and easily identify relevant evidence.

AXIOM can generate clear, visual reports in many different formats, including Excel, XML, HTML, PST, PDF, and more, and you can choose the data that is most relevant to your case to be included in your report, regardless of which source the data originated with.

With AXIOM’s Portable Case, it’s also easy to share a case with other stakeholders. A Portable Case file can be created by any AXIOM user, and you can choose to include as much or as little evidence that has been acquired and recovered from all your sources. By sharing a Portable Case, stakeholders can explore the evidence and add their own comments that can then be merged back into the case as tags, comments or bookmarks.

Missed Part 1 of our series? Catch up here to see why bringing your data into one case file matters.

All Your Case Data in Magnet AXIOM: Pt 1 — Why It Matters

In Parts 2-4, we review how AXIOM helps you bring all your data from multiple sources—including mobile, computer, and cloud—into one case file:

Want to experience the benefits of AXIOM’s complete, integrated platform for yourself? Request a free trial of Magnet AXIOM to get started today!

The post All Your Case Data in Magnet AXIOM: Pt 5 — Integrated Analysis & Reporting appeared first on Magnet Forensics.

Now more than ever organizations are faced with the need for remote collaboration, and many have turned to Microsoft Teams to fill that need. Utilizing Magnet AXIOM Cyber to process Office 365 evidence gives examiners the flexibility to acquire and examine Teams data directly via an API or by loading the Office 365 Security & Compliance Center exports. In this blog, we’ll focus on how to export Teams data from the Security & Compliance Center for use in AXIOM Cyber.

AXIOM Cyber’s Microsoft Teams API allows examiners to login with account credentials to acquire evidence directly from Teams for that account. In the case where the investigator doesn’t have the specific Teams user’s account credentials it will be necessary to export the data from the Microsoft Security and Compliance center. For easy to follow and straightforward assistance with configuring AXIOM Cyber to allow for Teams acquisitions please refer to this blog post from Trey Amick.

To Export From Compliance Center

Login to https://protection.office.com/permissions and validate that the eDiscovery Manager permission has been granted to your profile. If permission needs to be granted, it can be created for you by following the instructions described in Microsoft’s Getting Started with Core eDiscovery document.

Once permissions have been validated, navigate to the eDiscovery link in the menu on the left side of the page. If cases are created for you simply select the appropriate case to open it. If you are creating cases, click on the Create a Case link to create a new eDiscovery case.

When your case opens you have the option to view or create holds and searches relevant to the case. To create a new simple search, click on New Search:

At the bottom of the New Search column select Specific Locations and then click the modify…link. The Modify locations dialogue box allows you to select the individual users, groups, teams, or sites you wish to search:

Once you have added the locations associated with your search you’ll be brought back to the search column. From here, click Save and Run and then name your search.

After your search has run you will be able to export the results. In the list of searches, select the search that you want to export and then click Export results.

After you select your preferences for the export click export.

Once the export completes it will be available for download in the Exports tab in your case. Select the name of the export you wish to download, copy the export key, and download the results. The results of your export, when downloaded, will be provided as .pst file(s) which can be zipped into one archive container and loaded into AXIOM as a computer image.

NOTE: *Microsoft Edge must be used to download the results*

Once Download results has been selected the Microsoft Office Client Discovery Application will download, which will then allow for the archive of the files requested to be acquired.

Lastly, users can then open a new AXIOM Cyber case, loading the archive as a file and folder for processing and analysis.

If you have any questions regarding processing Microsoft Teams data in AXIOM Cyber, or have an idea on a new artifact please don’t hesitate to reach out at Lynita.hinsch@magnetforensics.com.

The post Exporting Microsoft Teams Data from the Office 365 Security & Compliance Center for Use in AXIOM Cyber appeared first on Magnet Forensics.

As a forensic examiner in the corporate environment, you have a handful of tools to choose from to help you with your investigations. You have your legacy tools like EnCase, maybe a tool specifically for remote acquisitions like F-Response, and probably even some other open source or custom tools to help you out.

However, choosing the right tool is important so that you can do your job quickly and effectively. If you don’t, you could be wasting valuable time fighting with your technology rather than fighting the threats and attacks you’re investigating.

Why Having the Right Tool is Important

Let’s take a look at a simple example to help demonstrate why having the right toolset is important.

Perhaps the following scenario may seem a bit all too familiar…

You get a notification from your SOC Analyst that there is potentially malicious activity, on an endpoint at one of your satellite offices halfway across the world. You assume the worst case: network intrusion, malware or ransomware attack, IP theft, data exfiltration, and the list goes on… As you run through this list, you groan because you know:

Time is going to be of the essence and you’re going to have a variety of stakeholders—everyone from half the SOC to senior leadership and IT—waiting for you to complete the remote collection.
Your current tools (let’s say for the sake of argument it’s EnCase) actually performing the remote acquisition is going to be a challenge. You’re unsure if you’ll actually be able to connect to the agent already on the target endpoint and even if you do, the chance of it timing out and then having to start the collection from the beginning is very likely if not inevitable. All the while you’re hoping the target endpoint isn’t a Mac because if it is, the likelihood of your current remote collection tool working just plummeted.

Using Magnet AXIOM Cyber to Create a Covert Agent and Begin the Investigation

It doesn’t have to be this way…

Now imagine this: that same notification from your SOC Analyst comes in, that surge of adrenaline that hits, you jump into your new forensics tool Magnet AXIOM Cyber and quickly create a covert agent that you’re going to deploy to the target endpoint.

You cleverly name the agent “explorer.exe” because you know that the end user won’t be suspicious of that name and get tipped off that a remote acquisition is happening. The agent gets deployed and connects within seconds. You’re confident that the collection will complete no problem because even if the endpoint goes offline, your collection will be paused and then will resume right where it left off and keep going.

You finish the acquisition and then within the same tool, AXIOM Cyber, you begin your investigation. You find out there is indeed malicious activity going on—the user clicked on a link in an email that was a phishing attack—and you report back to your SOC Analyst who then quickly remediates the situation and then sends you this Giphy on Slack:

By the way, the endpoint was a Mac but you weren’t worried because AXIOM Cyber has never let you down when collecting from a Mac (even when they have T2 security chips and are SIP enabled).

That whole scenario is made possible by Magnet AXIOM Cyber: a forensics platform that can perform remote acquisitions and then do the analysis and reporting.

Watch this video to see the remote collection of a Mac in action:

Ready to try Magnet AXIOM Cyber? Request a free trial or visit https://www.magnetforensics.com/products/magnet-axiom-cyber/ to learn more.

The post Perform Remote Collections of Endpoints with Confidence appeared first on Magnet Forensics.