Magnet AXIOM 2.6 is bringing big updates to Magnet AXIOM Cloud with WhatsApp backups, iCloud and Cloud Administrator account support. Together with improvements to Magnet.AI and to overall performance, AXIOM 2.6 demonstrates our commitment to being the gold standard for usability.
AXIOM Cloud Updates
WhatsApp Artifact Recovery
Within AXIOM 2.6, AXIOM Cloud can also now acquire and decrypt WhatsApp backups stored in an Android user’s Google Drive account. This capability is critical as the WhatsApp backup may contain information no longer available on the user’s phone. To simplify the process, WhatsApp is available as a source of evidence under AXIOM Cloud.
AXIOM 2.6 has brought a major overhaul to our support of WhatsApp for iOS and Android, particularly:
- iOS: Updated parsing support for messages to recover attachment previews, contacts, shared contacts in vCard format, and latitude and longitude data for shared location messages (including thumbnail previews), sender information for group messages, group member history for group messages, and user names
- Android: Updated parsing support to recover contact profile pictures, frequently contacted users, generic attachments, media attachments, user names, and cached locations
Note, AXIOM requires the phone number associated with the WhatsApp account and the user’s Google credentials in order to decrypt the WhatsApp data. We also created a new mobile artifact that will attempt to find the WhatsApp decryption key from the suspect’s phone, making the process easier for examiners.
Keep an eye out for more WhatsApp updates in future releases!
Some suspects may not realize that key evidence hasn’t been permanently deleted and is still in the recently deleted section of their iCloud account. AXIOM Cloud can now acquire recently deleted documents and other files in an iCloud account — giving you the capability to extract files that haven’t yet been permanently deleted.
Cloud Administrator Accounts
Office 365 and Box administrators will now see more details related to user’s accounts, making it easier to select the correct user and content to acquire.
Finding Evidence Faster in Magnet.AI
Magnet.AI helps you better prioritize your time in an investigation by uncovering critical image evidence faster than with a manual review.
We’ve been expanding the image classification capabilities in Magnet.AI to include detection of vehicles, buildings (exteriors) and drones, in addition to images that may contain nudity, weapons, CSAM, drugs, screen shots, money, documents and personal ID (e.g., passport, license).
The Gold Standard for Usability
We’re always striving to make AXIOM the most user-friendly software on the market. We want to make sure you’re not wasting time trying to figure out how to use the options available on a case. In AXIOM 2.6, we’ve taken some steps to help maintain our high standards.
Quick Tips in AXIOM Examine
With all of the new capabilities we’ve introduced in the last year alone (including Mobile Password Bypass, Connections, Volatility integration, and Magnet.AI), it can be easy miss some of the options that are available to help you get through cases faster. That’s why we’ve included quick tips within AXIOM — short overviews of features with links to learn more. We’ve worked really hard to make sure these tips aren’t obtrusive and you’ll have the option to disable tips and never see them again.
You can now remove evidence items from a case if necessary — such as if you want to reduce the footprint of the overall case and improve performance for an investigator review. All removed evidence is logged with a time stamp and lists the evidence numbers of the data that was removed.
AXIOM 2.6 has a new artifact category that consolidates all email attachments into one spot, letting you easily review the attachments and associated metadata — meaning you no longer have to manually filter all emails with attachments in order review them. You can also link directly back to the originating email artifact hit that contained the attachment.
On top of this, you can also run Magnet.AI on all email attachments (e.g., pictures) to easily identify content of interest.
Filtering, Sorting & Key Word Searching UX Improvements
We’ve improved the discoverability for our filtering capabilities on artifact column values (e.g., filter an artifact column like event logs) as well as added options to cancel accidental filtering, key word searches and sorting.
AXIOM Performance – Find Evidence Faster
AXIOM 2.5 brought a huge spike in performance improvements, but that doesn’t mean we’re slowing down! With AXIOM 2.6, we’ve improved the ability to review picture evidence by reducing the time it takes to resize pictures in AXIOM, seeing current scan-time improvements of up to 40% on picture heavy cases — depending on how many pictures are recovered.
We’ve delivered support for parsing the $UsnJrnl —a frequently requested artifact from our customers, especially those doing incident response or other corporate investigations. This artifact will provide valuable insight into the running set of changes that were made to files or directories on an endpoint or a suspect’s machine.
We’re always bringing new and updated artifacts to each release of AXIOM. Here’s what’s included in AXIOM 2.6:
New in iOS/MacOS:
- App Data Usage
- Connection History
New in Android:
New in Windows:
- Skype App (v12)
- IME (Keyboard History)
- Bitcoin Debug Logs
- KakaoTalk Media Decryption
- WhatsApp (iOS/Android)
- MMS (Group Message — Android)
- SMS/MMS Content Provider (Android)
- Twitter (Android)
- Carbonite Backup Logs (Windows)