How to Acquire and Analyze Cloud Data with Magnet AXIOM Cloud

New in Magnet AXIOM 1.2, we’ve added the ability to acquire data from the cloud given the user’s credentials. Currently we’ll pull data from Apple, Google, Facebook, Microsoft, Dropbox, and Twitter with the plans to add more sources in the future.

Within each of those platforms there may be several services for each of them. For example, for Microsoft, we’ll pull OneDrive, Microsoft Mail, and Office365 mail. For Google, we’ll acquire Gmail, Google Drive, Google Photos, Google Activity, Google Timeline Locations, Google Connected Apps, and Google Recent Devices.

AXIOM Cloud is integrated right into Magnet AXIOM alongside Computer and Mobile as another evidence source and you can process computer, mobile, and cloud data all in one search so that your analysis will span across all sources of evidence for a given case, not in a separate tool or product.

AXIOM Cloud evidence sources.

To load cloud data, simply click cloud as an evidence source, choose acquire, then you will be presented with a message confirming that you have proper search authorization to access and acquire the cloud data in question. We do this to let examiners know that we’re going out to pull this data from another sources other than what’s found on the phone or computer. Once the box is accepted, you’ll be presented with all of the platforms supported and available.

AXIOM Cloud - Cloud Platform Authentication screen

From here we can sign in to any platforms that we wish to pull cloud data for and have credentials. Currently we only support the authentication via username and password for the user’s account but we hope to add additional support around 2-factor authentication and administrative login for Office365 and GSuite in the near future. In the screenshot below, you can see that I’ve logged into my test accounts for Dropbox, Facebook, Google, and Microsoft.

Sign-in status of cloud platform user accounts.

Some platforms will allow you to see the last activity on that account or an estimate on the amount of data that will be acquired for each. This isn’t available for all services but we will show it when it’s available.

From here, we can hit the next screen and we’re presented with some date/time collection options. You can choose to acquire all the cloud data available from that account or limit it based on date/time so you could choose to only pull the last month’s worth of messages or data from a given account if that is a limitation of your authorization or you wish to limit the amount of data being acquired.

Next, the evidence gets added to your case ready to be processed. At this point you could continue to add additional evidence items such as a computer or phone or continue with the other processing options. In the screenshot below, I’ve added an additional computer E01 image and physical image of a Samsung Galaxy S3.

Addition computer E01 image and physical image of a Samsung Galaxy S3.

At this point, we can continue to add additional processing options such as keywords, hashsets, etc. just like you would in any other case in AXIOM. Once your additional processing options and artifacts are selected, we’re ready to acquire and process the cloud data.

Depending on your network speed and the amount of cloud data being acquired, your acquisition times may vary. I would expect it to take quite a bit longer if the user has a lot of storage in their Dropbox, OneDrive, and Google Drive accounts as these can be several hundred gigabytes in size.

Once the processing is complete, we’re presented with the results in AXIOM Examine with the new cloud data found at the bottom under “Cloud”:

AXIOM Examine results

You may also see a category for “Cloud Storage.” The difference between these two is that Cloud Storage are cloud artifacts that were found on the computer or phone whereas Cloud artifacts are specifically pulled from the cloud. For example, if I found Dropbox data on a user’s computer referencing files and accounts tied to Dropbox, they would fall under Cloud Storage, but if I authenticated and acquired data from a user’s Dropbox account online, they would be found under the Cloud category.

We can see that it found a good amount of data across each of the accounts and now this data is integrated right into AXIOM along with the computer and phone evidence that was recovered as well. Here’s a quick look at what Gmail email looks like in AXIOM when pulled from the cloud:

Gmail email recovery in AXIOM.

You can see the columns in the middle will list all the relevant details such as To/From/CC/BCC, Subject, Message, timestamps, email headers, etc. and along the right you will get those details listed along the bottom as well as two previews for the message, one text only that is automatically indexed and searchable, and a second that will render the email in its native format as the user might see it.

From here you can continue your examination just like any other making use of the sorting, filtering on any of the columns available to help narrow down the number of emails to be searched. If any of the artifacts contain timestamps or geolocation data (which many of them do), the data can be viewed in AXIOM’s Timeline or World Map views as well.

I hope this gives you a good overview of how to use the new cloud features in Magnet AXIOM. Watch the video below for a guided walk through of Magnet AXIOM Cloud:

 

Feel free to reach out if you have any questions or comments.

Jamie.mcquaid@magnetforensics.com