A Look Back at 2018: Resources for Mobile Investigations
As 2018 draws to a close, we’ll be taking a look back at some of the resources we’ve offered this year to help forensic examiners in their investigations. This blog is a roundup of a year’s worth of mobile forensics resources.
We kicked off 2018 by adding 550 Android recovery images and new password bypass support for LG and Samsung devices to Magnet AXIOM. AXIOM 2.0 then gave you the ability to load GrayKey images into AXIOM, and later on, we added support for devices with MTK and Qualcomm chipsets, as well as expanded support for iOS artifacts.
We like to think of in-product support as only a starting point. We want to help our users and the broader forensics community understand what these changes mean and how to investigate for best results. To that end, this year we made sure to offer a number of webinars, white papers, videos, and blog posts. Here are a few of the highlights:
Mobile Password Bypass
This year we didn’t just add Android recovery images to AXIOM; we also included options for Android phones with different chipsets. Two of the methods we added were EDL mode for Qualcomm devices, and Advanced Media Transfer Protocol (MTP) for Samsung devices.
In fact, mobile devices these days are such that it’s possible to acquire a logical image of any Android or iOS device—no model-specific cable or method needed. Our blog post from last February outlined why. Looking to do a physical extraction? Revisit our recorded webinar that provided an in-depth look at different password bypass options, and be sure to visit our YouTube channel for a 12-video mobile how-to playlist.
Understanding the Mobile Operating Systems of 2018
Apple’s iOS 11 headlined much of our content over the past eight months, including two webinars: one that covered that OS in addition to Android Nougat and Oreo, followed up later in the year with a second webinar spanning iOS 10, 11, and 12. We also offered a white paper on acquiring and parsing data from iOS 11 devices.
iOS 11 discussion accelerated over the summer, after Apple introduced changes to its USB Restricted Mode that had the potential to affect how soon investigators could access evidence. Fortunately, our in-house trainer and expert Chris Vance provided research on how to delay USB Restricted Mode, and later, how to handle devices post-11.4.1.
No iOS discussion would be complete without including Grayshift’s GrayKey device, which enables law enforcement to bypass unknown iOS passcodes. Our recorded webinar described how to work with GrayKey on iOS 11 devices. We also offered blog posts showing how to load GrayKey images into AXIOM, and from there, how to rely on AXIOM’s artifact parsing to analyze those images.
You’ve Acquired the Data. Now What?
GrayKey images aren’t the only third-party acquisitions we ingest into AXIOM. We used a series of blog posts to describe how to use AXIOM in a forensic toolbox approach, including how to load images from Cellebrite UFED, MSAB XRY, and Oxygen.
Delving into the Artifacts
AXIOM’s true strength lies in its artifact parsing, and we made sure to take the time to explore its capabilities—and how to make the best possible use of them—in greater detail. Our webinar about mobile app parsing dug into the process of finding evidence from unsupported apps; we backed this up with a white paper that covered 10 skills you need toward mastering mobile app forensics, along with a follow-up blog about how AXIOM helps you to build them.
We additionally offered webinars on overall mobile trends, tools, and methods, then got specific with how the onset of security apps can impact investigations and a blog post about Android messaging forensics.