May 27, 2015
Waterloo, ON

Hosted by Magnet Forensics in our office

Read More

We recently announced a beta program for our latest tool, Magnet ACQUIRE^TM. Magnet ACQUIRE is a smartphone acquisition tool that will enable you to quickly and easily extract an image from any iOS or Android smartphone or tablet. We are currently accepting applications for the beta program from existing customers, and will be launching a community beta later this summer.

As you know, full physical extractions are becoming more and more difficult to obtain without using advanced techniques, such as JTAG and chip-off. Manufacturers are locking bootloaders and encrypting data by default, limiting the options for examiners who are looking to get a full image of a device. With Magnet ACQUIRE, we’ve developed two distinct extraction methods, Quick and Full, to help examiners obtain the right image depending on the needs of your examination and the support for the device.

A Quick Extraction allows examiners to quickly and reliably obtain a logical image, and will work on all iOS and Android devices. The image includes a backup of the most important user data, as well as additional data found within the file system. With an iOS device, for example, the Quick Extraction method would be comparable to a combined method 1 and method 2 acquisition with other forensic acquisition tools.

Examiners are also able to perform a Full Extraction on some of the most popular Android devices that support rooting, or are already rooted. Magnet ACQUIRE will automatically try the most common privilege escalation exploits available for Android devices to obtain physical access. A Full Extraction will also work on jailbroken iOS devices.

Use Case Scenario

As examiners, we are challenged everyday with managing more work than there are hours in the day. In addition, the sheer quantity of devices that are included in each examination seems to grow with every case. In the early days, there was often only one or two PCs to be examined for an investigation. Today, it’s not uncommon to see over a dozen PCs and smartphones tied to a single investigation. Often, many of these devices have nothing of value to the case, but still need to be examined in order to find the handful of devices that are vital to the investigation.

Imagine that you’re a law enforcement examiner that supports vice or drug investigations. After a raid, you are presented with 15 mobile devices that were seized from suspects upon arrest or found at the scene. Many of these devices will not contain data relevant to the investigation; however, you still need to examine all 15 of them in order to determine which ones contain the evidence you need.

Using Magnet ACQUIRE, you can obtain a Quick Extraction of each device and upload the image to Magnet IEF to quickly review for any evidence that may be relevant to the case. A Quick Extraction can take less than 5 minutes, depending on the device, which means you can start your analysis sooner. In addition, IEF enables you to queue up several images at once, making the analysis process faster. Once you have identified the 3 or 4 devices that are of value to your investigation, you can determine if you need to dig deeper and obtain either a full image or perform a JTAG or chip-off to collect more data from the devices.

Magnet ACQUIRE can help you analyze multiples devices faster, eliminating the need to conduct a complete analysis on all 15 devices, and enabling you to focus your analysis efforts on the 3 or 4 devices that are most important to the investigation. We hope that Magnet ACQUIRE will assist in your workflow and enable you to work more efficiently.

As always, if you have any questions or comments, please feel free to contact me: jamie[dot]mcquaid[at]magnetforensics[dot]com.

If you’re interested in learning more about how Magnet ACQUIRE works, take a look at some of our additional resources:

Learn More About Magnet ACQUIRE

• Magnet ACQUIRE Features and Specifications
• Blog: Announcing Magnet ACQUIRE – by Jad Saliba, Founder & CTO of Magnet Forensics
• How To: Learn How to Image a Smartphone with Magnet ACQUIRE

Join the Magnet ACQUIRE Beta Program

• Magnet IEF Customer: Join the Beta Now
• Not a Magnet IEF Customer? Sign up for the community Beta launching later this summer

From Jad Saliba, Founder & CTO of Magnet Forensics

Today I’m excited to announce the beta availability of a new software product called Magnet ACQUIRE^TM. Magnet ACQUIRE is a smartphone acquisition tool that will allow you to quickly and easily acquire an image of any iOS or Android smartphone or tablet.

We’re looking for forensic professionals to join our beta program and help us make a great smartphone acquisition tool for the digital forensics community. Your feedback is critical and will help us shape the product to best meet your needs. Current Magnet IEF customers can sign up for the beta program now, in our Customer Portal. Other members of the forensic community can sign up here to participate in the community beta later this summer.

Mobile Forensics with Magnet

While Magnet ACQUIRE is our first smartphone acquisition tool, it certainly isn’t our first smartphone forensics product. About two and a half years ago, we began development of our IEF Mobile Module – a product we designed to recover and analyze evidence contained within smartphone images. The Module was a product of customer feedback, having learned that our users needed a tool that would allow them to dig deeper into smartphone user activity in popular chat apps, browsers, social networking apps, email apps, etc.

Customer feedback was also the driving force behind the development of Magnet ACQUIRE. Over the last year, I discovered that more and more of our customers were expressing concern over the challenges they were facing getting smartphone images. Some of the most common pain points I was hearing from customers were:

• “Sometimes I’m able to acquire a physical image, while other times I can only get a logical image. I’m spending too much time on ‘hit or miss’ extraction attempts on smartphones.”
• “Why do I have to choose ‘method x’ or ‘method y’? I don’t understand the difference between these methods or why they seem to produce different results?”
• “How are my tools extracting data to create smartphone images? The extraction process is unclear.”

Building Magnet ACQUIRE

With this feedback in mind, we set about researching extraction methods to build Magnet ACQUIRE. The customer feedback we received appeared to share two common root causes:

1. Increased security of smartphone operating systems:
   Smartphone operating systems are getting more secure, making physical images increasingly difficult to acquire. This is a new reality of smartphone forensics.
2. Limited transparency in acquisition methods:
   There’s a lack of transparency, openness, and documentation about the acquisition methods used by mobile forensics tools, making it hard for digital forensic examiners to:
   • Troubleshoot or adapt when they encounter a problem during acquisition,
   • Identify the ‘path of least resistance’ to get a quick image, or
   • Know which method will produce the most comprehensive image

When we developed Magnet ACQUIRE, we defined three key benefits we wanted deliver on to help overcome these problems faced by our customers. Magnet ACQUIRE would be reliable and fast, acquire as much data as possible, and have documented acquisition methods and process transparency.

No small task, but the Magnet development team likes a challenge (and we give them plenty ), and they never cease to amaze me with what they’re able to accomplish. And so, Magnet ACQUIRE was born.

Extracting an Image with Magnet ACQUIRE

Magnet ACQUIRE offers a choice of two distinct extraction processes:
Quick Extraction – a reliable and quick method for obtaining a logical image from any iOS and Android device.
Full Extraction – a method allowing users to gather more evidence through physical images of rooted Android devices or file system logical images of jailbroken iOS devices.

Our Quick Extraction method uses documented backup processes and openly known commands for iOS and Android. The advantage of these methods is that they will work consistently. Quick Extraction uses a combination of two acquisition methods in a single extraction process to produce one logical image with more content/data than can be obtained by either method on its own.

I see Quick Extraction as a great way to start off a smartphone examination, knowing that it’s a fast and consistent way to get an image. You can use IEF to recover and analyze evidence from this image.  If the data recovered proves valuable, you can use the Full Extraction method or another imaging tool to try and get a physical image of the device, which may reveal additional evidence from unallocated space.

As the smartphones landscape continues to change and advance, the process of investigating these devices becomes more challenging, but essential. Our team at Magnet Forensics is committed to building tools and sharing information that will help you spend less time navigating the technical complexities of smartphone forensics, and more time using smartphone evidence to uncover the truth.

To our customers, thank you for your long-time support and for being there with us as we grow.  It’s important to me that we maintain a close working partnership with our customers and the forensic community, as it helps us learn and improve our products. We hope that this free beta trial of Magnet ACQUIRE will assist you in the important work you do.

Learn More About Magnet ACQUIRE

• Magnet ACQUIRE Features and Specifications
• Blog: Using Magnet ACQUIRE in your Investigations
• How To: Learn How to Image a Smartphone with Magnet ACQUIRE

Join the Magnet ACQUIRE Beta Program

• Magnet IEF Customer: Join the Beta Now
• Not a Magnet IEF Customer? Sign up for the community beta launching later this summer

Magnet ACQUIRE^TM is designed to quickly and easily acquire an image of any iOS or Android device. Examiners are given the option of two extraction methods: Quick and Full.

Quick Extraction:

The Quick Extraction method will work on any iOS device, version 5 or newer. Magnet ACQUIRE will combine an iTunes backup, with some additional acquisition techniques, to obtain both native and third-party data. A Quick image from Android devices will include an ADB backup, as well as an additional extraction to obtain browser history and/or native application data (depending on the version of Android). Magnet ACQUIRE supports Android version 2.1 or newer.

Full Extraction:

Magnet ACQUIRE can also help you obtain a full, physical image of many Android devices by using either the built-in privilege escalation exploits or by imaging a device that has already been rooted. Full Extraction is also supported for jailbroken iOS devices.
To use Magnet ACQUIRE, start by connecting the mobile device to your examination computer. Run the tool and you should be presented with a list of devices that are connected to your system.

In the above example, I have connected an LG G3 Android device to my system. If your device does not appear, you’ll need to ensure the correct drivers for the device are installed on your computer. Installing iTunes will provide you with the correct iOS drivers. If  Windows installs incorrect drivers for your Android device, install the USB drivers from the smartphone manufacturer’s website. You must also ensure that the device has USB debugging enabled and you must “trust” the connected computer when prompted on the device. For additional assistance connecting a device, beta participants can access additional resources in our Customer Portal.

Next, you will be given some extraction options based on the connected device. With the LG G3 Android device that I’ve connected, I can choose a Quick or Full Extraction. Since the device is not rooted, a Full Extraction will attempt to gain privileged access to the device before obtaining a physical image.

A Quick Extraction will work for any device, even when physical access cannot be obtained (which is becoming a common challenge with modern devices). This will allow for the acquisition of  valuable native and third-party application data on the device. A Quick Extraction will let the examiner know if a device has valuable data that warrants the additional time and effort of the more manual techniques. If additional data is required, a JTAG or chip-off extraction is often used as an alternative.

Here, I have chosen a Quick Extraction for the LG G3, which means Magnet ACQUIRE will perform an ADB backup of all the apps, as well an additional acquisition of the device’s browsing history.

Once the imaging process is complete, you’ll be  provided  with a folder that contains a zip file of all the extracted content, an activity log of the steps taken during the acquisition, and a text file containing details of the acquired smartphone, hashes, and timestamps.

Once you have acquired your image, it can be analyzed by your tool of choice. Images can be easily loaded into Magnet IEF by opening IEF, going to “Mobile”, selecting your desired OS (we’re using Android for this example), and choosing “Images”. IEF will load the image and you can then proceed with your analysis, just like any other PC or mobile image.

Once the analysis is complete, you will be presented with your results in the familiar IEF report, with organized data that can be easily searched, bookmarked, and reported.

As always, if you have any questions or comments, please feel free to contact me: jamie[dot]mcquaid[at]magnetforensics[dot]com.

If you’re interested in learning more about how Magnet ACQUIRE works, take a look at some of our additional resources:

Learn More About Magnet ACQUIRE

• Magnet ACQUIRE Features and Specifications
• Blog: Announcing Magnet ACQUIRE – by Jad Saliba, Founder & CTO of Magnet Forensics
• Blog: Using Magnet ACQUIRE in your Investigations

Join the Magnet ACQUIRE Beta Program

• Magnet IEF Customer: Join the Beta Now
• Not a Magnet IEF Customer? Sign up for the community beta launching later this summer

Our latest artifact update for IEF includes support for native Android applications. As the mobile market continues to narrow-in on two primary operating systems – Android and iOS – it’s becoming increasingly important for investigators to recover data from these built-in system apps. In February, we added support for a similar set of native iOS...

The post April Artifact Update: Native Android Apps appeared first on Magnet Forensics.

Every forensic examiner is familiar with hex and text viewers; they are the cornerstone of the most basic forensic examination. If all your tools and scripts fail or don’t support a given artifact, you can always fall back to a hex viewer to dig into an artifact to uncover any evidence within. New with IEF...

The post Hex & Text Viewer appeared first on Magnet Forensics.

Another new feature that we’ve added to Magnet IEF in version 6.6 is Profiles. This feature allows investigators to build a profile of a particular person of interest that may be involved in the investigation. This person of interest may be a suspect, a victim, or just someone who is involved with or associated to...

The post Profiles & Identifiers appeared first on Magnet Forensics.

As we continue to add analysis features to Magnet IEF, one of the most common pieces of feedback we receive is that we needed a simplified report viewer for sharing IEF results with non-technical stakeholders. These stakeholders may include other investigators, lawyers, analysts, managers, HR, or anyone else who may be involved with an investigation,...

The post Examiner & Investigator Modes appeared first on Magnet Forensics.

We recently announced a beta program for our latest tool, Magnet ACQUIRE™. Magnet ACQUIRE is a smartphone acquisition tool that will enable you to quickly and easily extract an image from any iOS or Android smartphone or tablet. We are currently accepting applications for the beta program from existing customers, and will be launching a...

The post Using Magnet ACQUIRE in Your Investigations appeared first on Magnet Forensics.

From Jad Saliba, Founder & CTO of Magnet Forensics Today I’m excited to announce the beta availability of a new software product called Magnet ACQUIRE™. Magnet ACQUIRE is a smartphone acquisition tool that will allow you to quickly and easily acquire an image of any iOS or Android smartphone or tablet. We’re looking for forensic...

The post Announcing Magnet ACQUIRE: A New Forensic Tool for Imaging Smartphones appeared first on Magnet Forensics.

Register for Investigating Smartphones and Tablets Date and time: Thursday, June 11th, 2015 1:00 pm  Eastern Standard Time (New York, GMT-05:00)  Duration: 1 hour In this session we’ll introduce the main functions and features of IEF to help you get started when examining a mobile device with IEF. We’ll go over the types of devices...

The post Investigating smartphones and tablets with IEF appeared first on Magnet Forensics.

Register for Investigating computers with IEF Date and time: Thursday, June 18th, 2015 1:00 pm  Eastern Standard Time (New York, GMT-05:00)  Duration: 1 hour In this session we’ll introduce the main functions and features of IEF to help you get started when examining a PC with IEF. We’ll go over the types of evidence that...

The post Investigating computers with IEF appeared first on Magnet Forensics.

Register for Investigating Smartphones and Tablets Date and time: Thursday, June 25th, 2015 1:00 pm  Eastern Standard Time (New York, GMT-05:00)  Duration: 1 hour In this session we’ll introduce the main functions and features of IEF to help you get started when examining a mobile device with IEF. We’ll go over the types of devices...

The post Investigating smartphones and tablets with IEF appeared first on Magnet Forensics.

Register for Investigating computers with IEF Date and time: Thursday, July 2nd, 2015 1:00 pm  Eastern Standard Time (New York, GMT-05:00)  Duration: 1 hour In this session we’ll introduce the main functions and features of IEF to help you get started when examining a PC with IEF. We’ll go over the types of evidence that...

The post Investigating computers with IEF appeared first on Magnet Forensics.

Overview: Magnet IEF reports some of the most important data for files and artifacts. However, examiners often need to dig even deeper into an artifact or file to better understand its purpose or value. Hex and Text Viewers, now built into Magnet IEF Report Viewer, allow examiners to view the raw data and: Confirm/validate the...

The post Magnet IEF Feature Profile: Hex & Text Viewer appeared first on Magnet Forensics.

Overview: During an investigation, examiners often come across multiple identifiers for a single suspect, including  names, aliases, phone numbers, email addresses, and more. Examiners want to be able to easily identify what activity was done by their suspect or other persons of interest within their case. Collecting and organizing this data can be challenging, especially...

The post Magnet IEF Feature Profile: Profiles & Identifiers appeared first on Magnet Forensics.

Magnet ACQUIRETM is designed to quickly and easily acquire an image of any iOS or Android device. Examiners are given the option of two extraction methods: Quick and Full. Quick Extraction: The Quick Extraction method will work on any iOS device, version 5 or newer. Magnet ACQUIRE will combine an iTunes backup, with some additional acquisition...

The post How to Image a Smartphone with Magnet ACQUIRE appeared first on Magnet Forensics.

Date and time: Thursday, June 25th, 2015 11:00 am Eastern Standard Time (New York, GMT-05:00) Duration: 1 hour The amount of data being generated by mobile devices has exploded, resulting in exponentially more work for forensic examiners. To make matters more difficult, increased security features being introduced to iOS and Android devices (including encryption and...

The post Investigating Smartphones with Magnet ACQUIRE and IEF appeared first on Magnet Forensics.

A month ago, we launched the Magnet ACQUIRE beta program and welcomed customers to download and try our new smartphone acquisition tool. We’ve since received an overwhelming amount of interest from individuals looking to join the program and provide us with their feedback. For us, the development of Magnet ACQUIRE is a joint effort between...

The post Building and Improving Magnet ACQUIRE: An Update on Our Beta Program appeared first on Magnet Forensics.

Register for Investigating computers with IEF Date and time: Thursday, July 16th, 2015 1:00 pm  Eastern Standard Time (New York, GMT-05:00)  Duration: 1 hour In this session we’ll introduce the main functions and features of IEF to help you get started when examining a PC with IEF. We’ll go over the types of evidence that...

The post Investigating computers with IEF appeared first on Magnet Forensics.