In part two of our Q&A session with Magnet Forensics Product Manager Tayfun Uzun, we take a deeper look at the features and capabilities of Magnet AXIOM Cloud (announced as part of Magnet AXIOM 1.2 – read more.)
Let’s dive right in!
Magnet Forensics: AXIOM Cloud has launched! Congratulations! Why don’t you tell me about it. Let’s start with what you think will be the most compelling parts.
Tayfun Uzun: Thank you. The team put a lot of work into getting this product out quickly and making it really robust. There are a couple of things that really set AXIOM Cloud apart. We support a lot of cloud services, like Office 365, and some of the most popular services out there, like Facebook, Google, iCloud, Twitter and Instagram. But the way we’ve implemented them is the really important and compelling piece. When you look at something like our Office 365 support, we were able to build off of our outlook support for computer forensics.
We leveraged the AXIOM platform, which means that AXIOM Cloud extracts smartphone and computer artifacts from cloud-based evidence. So, if a suspect has backed up computer and smartphone evidence in their cloud accounts, AXIOM can help to find and recover that.
The other great part about AXIOM Cloud is that it can be used with either or both of AXIOM Mobile and AXIOM Computer to really bring all the different evidence sources together and create a very comprehensive view of the digital evidence. We’ve heard from customers that bringing together all the data, regardless of source, is more important than ever and we wanted to make sure we were completely integrated.
Magnet Forensics: You mentioned leveraging the AXIOM platform – are there any key features not supported in AXIOM Cloud?
Tayfun Uzun: Definitely not. Actually, it’s a very important point that our customers will be able to access all the powerful examination tools in AXIOM from AXIOM Cloud. So, if you are working a child exploitation case, you need to quickly surface the most relevant data – you can extract from the cloud and run Magnet.AI (Ed Note: In AXIOM Magnet.AI is a filter called: Luring Content), and you will have a narrowed list of conversations that are a clear starting point to look for grooming.
AXIOM supports more than eight views like timeline, world map, chat threads, and more. Imagine bringing together smartphone data, computer data, and cloud data – all on one timeline, or world map, to really understand the path and activity of a suspect, a victim, a file, what-have-you.
We also launched Connections, which allows people to see how data is related. In AXIOM Cloud, you can see how cloud data correlates to other cloud data, or if you have AXIOM Mobile/AXIOM Computer, you can discover relationships between cloud and smartphone and/or computer evidence. You will really be able to see all the places where a file might exist. We think it’s very powerful.
One more feature I will specifically mention, because it was another pain point for customers and other people in the industry, AXIOM Cloud also has our Portable Case feature, which essentially packages up all the data in the case with tags, comments, graphical views, etc. and allows examiners to share that case file with others (even those without an AXIOM license) to add their own comments, etc. AXIOM can then merge all that back into the original case. So depending on the AXIOM implementation, you could export all cloud data for review, or you could export all digital evidence collected in a single case or report for review. There’s no need to use a different tool to share out your findings.
Magnet Forensics: It sounds like there was quite a focus on examination of the cloud-based digital evidence. Why did you do that?
Tayfun Uzun: We felt it was really important to focus on not just cloud data extraction, but the analysis capabilities and sharing of cloud based evidence. It really has to be about how you can take cloud based evidence through your entire investigation in a simple, understandable way.
Cloud is one avenue for people to find digital evidence and it has to be just as examinable, reportable, and defendable as the more traditional computer and smartphone digital evidence.
Magnet Forensics: How do you see customers using AXIOM Cloud in the current legal environment?
Tayfun Uzun: What we are seeing in most countries is law enforcement is able to use tools to obtain data from the cloud when they have consent from the victim, suspect or witness. In addition, if obtaining cloud data is specified in the search warrant, it is also permitted in many jurisdictions. Law enforcement could also write a search warrant just for the cloud data. In some jurisdictions, if tokens are extracted from a mobile device, they can be used to access cloud as they are part of the warrant that covers data from a mobile device.
For corporate customers obtaining cloud data from services like Microsoft Office 365 and OneDrive is usually permitted as its part of the corporate assets.
Magnet Forensics: What are some of the newest features of AXIOM Cloud?
Tayfun Uzun: With AXIOM 1.2.1, we have introduced support for ingested tokens. Basically, investigative teams will acquire tokens through third party solutions and can then paste them into AXIOM Cloud to access cloud services and data to be examined using AXIOM’s examination tools. For teams who have invested in solutions that retrieve those tokens from computers and phones, they can leverage that investment and use AXIOM Cloud to bring all the cloud data together for a more complete examination.
We are working on how to evolve the token extraction in AXIOM and we hope to have some more information on that soon.
Magnet Forensics: How do you see AXIOM Cloud growing?
Tayfun Uzun: We will definitely be looking at ways to grow our list of supported services. We are also keeping our eyes on how the evidence is extracted and if there are opportunities to retrieve even deeper data. And, of course, all the new features we add into AXIOM will be available for the Cloud version as well.
With support from our customers, we want to continue to build out the forensically relevant services we offer and support. Another area we are looking at is token-based cloud extraction to allow examiners to leverage cloud accounts when they do not know the credentials.