Beginning in Magnet AXIOM 3.11, the dar file format (or Disk ARchive) is now supported for image processing.
In Cellebrite-generated .dar files, Accessed, Modified, and Changed are stored inside the .dar file. However, the Created timestamp is stored in external .plists, typically found alongside your extraction in the “MetaData” folder.
In order to incorporate Created timestamps into your case from these .plists, you must point to the .ufd file in AXIOM Process.
In the event you do not have these plists, AXIOM can still parse the content as shown in the figures below, however Created timestamps will not be displayed for filesystem entries.
I’ve also created a video walking through the steps of how to load the ,dar file and include the timestamps:
If you’re not already using AXIOM, you can request a free 30-day trial today.
Feel free to reach out to me at firstname.lastname@example.org or @forensicmike1 on Twitter if you have any feedback.
Details about an exciting virtual lab from Mike and Chris Atha from NWC3 at this year’s Magnet Virtual Summit will be available soon. Be sure to register for updates at www.magnetvitualsummit.com to be the first to hear more.