Beginning in Magnet AXIOM 3.11, the dar file format (or Disk ARchive) is now supported for image processing.
In Cellebrite-generated .dar files, Accessed, Modified, and Changed are stored inside the .dar file. However, the Created timestamp is stored in external .plists, typically found alongside your extraction in the “MetaData” folder.
Clik here to view.
For a further explanation of the 4 timestamps on iOS, please check out this blog post from our Jessica Hyde (@B1N2H3X).
In order to incorporate Created timestamps into your case from these .plists, you must point to the .ufd file in AXIOM Process.
In the event you do not have these plists, AXIOM can still parse the content as shown in the figures below, however Created timestamps will not be displayed for filesystem entries.
Clik here to view.
Clik here to view.
I’ve also created a video walking through the steps of how to load the ,dar file and include the timestamps:
If you’re not already using AXIOM, you can request a free 30-day trial today.
Feel free to reach out to me at mike.williamson@magnetforensics.com or @forensicmike1 on Twitter if you have any feedback.
The post Magnet AXIOM Adds Support for .dar Files appeared first on Magnet Forensics.
