Continuing on from our 2019 in Review series, we caught up with our internal Forensics Experts to get an idea of what product innovations and trends excited them the post this year. Read their responses below and check out our other 2019 review posts where we summarize the year at Magnet Forensics and our year developing our Mac support within Magnet AXIOM.
Jessica Hyde, Director of Forensics (@ B1N2H3X)
Wow, looking back on 2019, we have put out so many new features and products. My favorite new product from Magnet Forensics this year is Magnet AUTOMATE. What I like most about AUTOMATE, is how it allows examiners to focus on the deep technical forensic work instead of pushing buttons to process evidence. AUTOMATE allows forensic labs to create custom orchestration of any forensic tools that have a CLI. This allows organizations to take advantage of hardware and software 24 hours a day, helping to reduce backlog and begin analysis sooner leading to quicker turn-around times, reduction of backlogs and to forensic examiners spending more of their times finding new artifacts and conducting detailed analysis.
What am I excited for in terms of trends? I am excited about the dramatic change to doing full Pattern of Life analysis on mobile phone data. Traditionally, mobile forensics focused on the content recovered from applications. There has been a dynamic change over the last 18 months due to both research and access. Everything from Usage Stats, Recent Tasks, and Battery Usage on Android to the wealth of artifacts being parsed from the KnowledgeC database iOS devices. The access to iOS devices thanks to both solutions like GrayKey and the checkra1n jailbreak mean we have access to these artifacts now for iOS. All of these new artifacts have lead to our ability as forensic examiners to timeline activity on mobile devices, both iOS and Android, like never before! And what this means is examiners have dramatically changed the way they look at mobile forensic analysis and now are able to understand more about the activity that occurred on a device.
One of the things I love most about working in DFIR is that there are constantly new challenges and changes. I look forward to how we address Cloud data as a community. And “cloud” data can refer to so many things! It could be environments that store in AWS, Azure, or Google Private Cloud. But it can also mean application data stored off the mobile device, cloud backups, third party app storage, IoT sensors and devices, as well as corporate suites like Microsoft 0365 and Google Suite. We can acquire this data a variety of ways – scraping, undocumented APIs, passwords, and auth tokens. But the real challenge in dealing with this data exceeds the technical as a major challenge to Cloud sourced data rests with legal authorization and modernizing our standard operating procedures to deal with these challenges.
There are a whole host of other challenges that we will continue to face — from encryption, to the Internet of Things, to increasing amounts of data, to new hardware, to ever-changing apps and operating systems. As we, as a community, continue to tackle these ideas, one of the most important things we can do is to share information with each other as we each learn new things be it about an application, a device, or a data source. Sharing our learnings with others and working together to build on things is the only way we will be able to keep up with these challenges. Over the past year there has been vast collaboration and sharing throughout our DFIR community. I am excited about our future and how we can all work together to find innovative solutions to continue moving forward.
Jamie McQuaid, Technical Forensic Consultant (@reccetech)
Looking back at all the things we added to Magnet AXIOM or things we added at Magnet Forensics can be overwhelming because it’s amazing how easy it is to forget things we did only a few months ago.
I’m going to pick two things that I would say are my favorite: one AXIOM feature, and one new product. First on the list is the complete redesign of our Timeline Explorer in AXIOM. I’m a huge fan of doing timeline analysis for any investigation type and our new timeline allows us to quickly conduct that analysis and visualize the activity on a computer or phone using all available timestamps from both the artifacts and file system. The level of granularity it enables allows me to follow a user’s interactions step-by-step.
The second item I want to call out is Magnet OUTRIDER. This is still a relatively new product by us, only being released in October, but has really resonated with users. OUTRIDER’s ability to quickly identify inappropriate material on a computer or phone in seconds allows people doing regular review of computers for contraband get actionable results almost immediately. Paring that with the partnership with CRC which will allow us to identify more relevant material even faster, this is certainly something to keep an eye on early in 2020.
I think the most exciting thing happening to DFIR right now and will likely continue into the new year is the discussions going on around data being recovered from Apple devices. For the past several years, we’ve been limited to what has been available in an iTunes backup. With the availability of GrayKey extractions and most recent exploits for Checkm8/Checkra1n, analysis of Apple devices have been very helpful in many investigations. The level of artifacts you can recover when you have this level of access is amazing. KnowledgeC, Network usage, ScreenTime, FSEvents, Health DataSignificant Locations, Email, iOS Wallet, Keychain tokens/passwords, all previously unavailable without these tools and methods. I look forward to seeing what 2020 brings.
Tarah Melton, Forensic Consultant (@melton_tarah)
It’s hard to pick a favorite new feature in AXIOM from 2019. This year was filled with tons of exciting developments, from APFS support to our enhanced media categorization with Project VIC and CAID. But, if I could only pick just one, I’m going with our new and improved Timeline view! This to me was a total game changer, to be able to create such a comprehensive timeline of both file system AND artifact timestamps from ALL evidence loaded in your case, be it computer, mobile, cloud, or even memory! Along with the ability to utilize the relative time filter from Artifacts view, allowing the examiner to jump right to the moment of the Timeline that they are interested in, makes analysis of the events within your case incredibly effective and streamlined. The categorization of each of these events helps the examiner quickly identify the type of activity that might be of most value to their case, such as user communication or program execution.
The Timeline view also shows a useful line graph at the top for easy navigation between the timestamps of an artifact, and to provide the examiner with a visualization of when activity was occurring and any patterns of activity that might be of interest. I am absolutely blown away with the capability of the Timeline view in AXIOM. Read more about it here and then check it out for yourself!
Mike Williamson, Technical Forensic Consultant (@forensicmike1)
I’m new to the Magnet Forensics team this year, and have been struck by the amount of effort that goes in to each and every release of our products. From research and development, to testing and rollout, the team works with an impressive level of cohesion from multiple Magnet Forensics offices in different countries. Magnet Forensics is known for being a vendor who truly pays attention to customers, and I’ve realized this comes from a deeply rooted philosophy within the organization to continually improve the product in meaningful ways.
As mobile tech companies of the world tighten their grip on the security of their devices ever further, I am profoundly interested to see how the #DFIR community (which includes both vendors and users), will respond. The old adage “if humans can make it, humans can break it” will surely be tested over the next decade.
My favorite new feature in AXIOM in 2019 was most certainly the ability to use regular expressions as filters including on a per-column basis. I love this change in particular because it allows you to harness the power of an entire parsing language without taking you away from your current view. That you can stack multiple regexes on top of each other is also excellent. I love to see advanced features like this make it into the product because it provides veteran users new functionality to explore, but also for newer users to the product– as they progress as an examiner and become more knowledgeable, these hidden gems will be available to them to discover and use in their day to day examinations.