Blog

New Features

Magnet AXIOM Adds Support for .dar Files

Beginning in Magnet AXIOM 3.11, the dar file format (or Disk ARchive) is now supported for image processing.

In Cellebrite-generated .dar files, Accessed, Modified, and Changed are stored inside the .dar file. However, the Created timestamp is stored in external .plists, typically found alongside your extraction in the “MetaData” folder.

These metadata plists contain extra information about the iDevice extraction.

For a further explanation of the 4 timestamps on iOS, please check out this blog post from our Jessica Hyde (@B1N2H3X).

In order to incorporate Created timestamps into your case from these .plists, you must point to the .ufd file in AXIOM Process.

In the event you do not have these plists, AXIOM can still parse the content as shown in the figures below, however Created timestamps will not be displayed for filesystem entries.

Artifacts view with and without referencing the metadata plists.
File System Detail view with and without referencing the metadata plists.

I’ve also created a video walking through the steps of how to load the ,dar file and include the timestamps:

If you’re not already using AXIOM, you can request a free 30-day trial today.

Feel free to reach out to me at mike.williamson@magnetforensics.com or @forensicmike1 on Twitter if you have any feedback.

Details about an exciting virtual lab from Mike and Chris Atha from NWC3 at this year’s Magnet Virtual Summit will be available soon. Be sure to register for updates at www.magnetvitualsummit.com to be the first to hear more.

Start modernizing your digital investigations today.

Ready to explore on your own? Start a Free Trial

:qa Top