Product Features

2019 in Review: Mac Support Updates in Magnet AXIOM

With the release of Magnet AXIOM 3.0 in early 2019, we added to our world-class Windows support, by adding Mac support to Magnet AXIOM — including support for the newest version of macOS (10.15 — Catalina) as soon as it was publicly available. With these updates, we’re making it even more comprehensive for computer forensics than ever before!

Here’s a quick overview of some of the features we’ve brought to AXIOM to help with Mac investigations this year. If you haven’t tried Magnet AXIOM and want to see how you can investigate Mac evidence with the complete digital investigation platform, try it free today.

If you want to dive deeper, check out our recorded webinar, “macOS: Forensic Artifacts and Techniques That are Essential for Mac Investigations“, and our “Magnet AXIOM and macOS/APFS” white paper.

Want to see what else happened at Magnet Forensics in 2019? Check out our 2019 Year in Review and our Forensics Experts’ end-of-year highlights.

Support for Decrypting FileVault2-Encrypted Drives, APFS, macOS Artifacts and More

With AXIOM 3.0, we introduced the ability to search and recover data from Apple products running macOS. AXIOM began support decrypting FileVault2-encrypted drives, containers, and volumes, as well as support for parsing artifacts from APFS sources and traversing the File System explorer in AXIOM.

And, in keeping with our artifacts-first approach, we also added more support for over 180 relevant macOS artifacts, including support for parsing user accounts information, FSEvents, connected devices, MRUs and the KnowledgeC database.

Learn more in this How-To document on APFS and Mac support in Magnet AXIOM.

Finding More Deleted Data

In addition to searching the known file system for artifacts, AXIOM searches recently deleted files that are stored in Free Queue in APFS of Mac computers.

Display Spotlight Metadata from macOS

Files on macOS can contain a number of additional attributes associate with each file on the file system—typically referred to as extended attributes. AXIOM 3.4 surfaced this metadata in a new card in the details pane, providing a view of common attributes of interest in the Artifact Explorer, and a full listing of attributes in the File System explorer.​

Carve Unallocated Space for Artifacts on APFS

Following on our support for carving the macOS free queue for artifacts in AXIOM 3.2, AXIOM 3.4 added support for carving unallocated space on APFS. This is typically limited to files that have been deleted and their associated blocks released back to the filesystem since the last password change.

Ingest AFF4 Physical Images from MacQuisition

You can ingest and process the AFF4 physical images acquired from MacQuisition. Starting in 2017, Mac computers have Apple’s T2 security chip providing hardware-assisted encryption for data stored on the system.

As an APFS Container on a T2 hardware-encrypted system is acquired, MacQuisition interfaces with the chip to decrypt the protected data, creating a decrypted physical image using the AFF4 format.

macOS Extended Attributes

Extended attributes are arbitrary metadata stored with a file on macOS. They are separate from the attributes that are strictly determined by the filesystem (such as modification time or file size). These attributes contain extra information about the file that is completely customizable. ​

As of AXIOM 3.7, you can access the complete extended attributes of a file and preview them within a hex and text preview card. ​

For example, if you’re seeking information about how a file had arrived on the system, the attribute kMDItemWhereFroms provides examiners this context — whether it be from a web download, or via AirDrop.​

Learn more about extended attributes, spotlight metadata, and the quarantine events database in this video from Trey Amick, Forensics Consultant:

AirDrop Artifacts

And with Magnet AXIOM 3.8, we brought support for dedicated AirDrop artifacts that AXIOM can now parse out. Get a deeper look at what kind of rich data you can get from these artifacts:

Of course, we also continued to work on improving the performance within AXIOM. We were able to significantly reduce the time it takes to scan Mac images, seeing up to 4x improvements in speed—in one example, a scan that once took 4 ½ hours now takes just 52 minutes!

And if you want to see how you can use AXIOM to help in your Mac USB investigations, check out this AXIOM at Work video:

If you haven’t tried Magnet AXIOM and want to see how you can investigate Mac evidence with the complete digital investigation platform, try it free today!

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top