New Mobile Features and Artifacts in Magnet AXIOM and AXIOM Cyber 4.7
We know that the ability to support the latest and greatest mobile devices and operating systems is critical in your investigations. This fall saw the release of iOS14 and Android 11, and we’ve been hard at work updating our support for both so you can be confident you’re getting the most evidence from your mobile sources!
We take a look at some of the new mobile features and artifacts included in the latest versions of AXIOM and AXIOM Cyber below.
Be sure to read Chris Vance’s blog here for more insights into iOS14: iOS 14: First Thoughts and Analysis
We also have a great comparison of iOS vs Android artifacts in our recent webinar from Jessica Hyde and Chris Vance: Mobile Artifact Comparison – Understanding the Similarities Between iOS and Android Data
And for more on how you can accelerate your mobile investigations with AXIOM, check out Part 2 of our “All Your Case Data in Magnet AXIOM” blog series!
Quick Imaging
Once you’ve obtained access to a device, time is of the essence, so quickly collecting the relevant data is critical.
AXIOM’s Quick Imaging feature helps you to collect as much information as possible from a mobile device, as quickly as possible, so that you can start examining the evidence right away. A quick image is a comprehensive logical image that contains both user data and some native application data.
Quick Imaging is supported on the latest versions of iOS and Android. For iOS devices, AXIOM can obtain a quick image from devices running version 5.0 and later. For Android, quick images can be obtained from devices running version 2.1 and later. See this video from Tarah Melton for a quick demo of Quick Imaging for Android:
Artifacts
With AXIOM and AXIOM Cyber 4.7, our full complement of iOS and Android artifacts has been updated to support iOS14 and Android 11.
Included with these are several new artifacts to help you get even more from your mobile images.
Google Apps for iOS
Google productivity apps have been gaining popularity as an alternative to Microsoft Office. AXIOM and AXIOM Cyber support parsing evidence from several Google productivity apps for iOS, including Google Docs, Drive, Slides, and Sheets.
With AXIOM and AXIOM Cyber 4.7, we’ve also added new iOS artifacts for Google Photos Media and Google Photos Album, helping you collect and analyze even more potential picture evidence!
Android Motion Photos
A Motion Photo is a short video automatically captured before and after taking a still picture, similar to an iOS Live Photo. Users can leverage this feature to select the best still picture frame or view/share the video itself. AXIOM can now recover Motion Photo artifacts so you can easily add them to your case!
New Custom Artifacts Added to Artifact Exchange
In addition to the updates above, we’re pleased to highlight some new custom mobile artifacts added to our Artifact Exchange by you in our community! These three new custom artifacts, written by players in our Magnet Weekly CTF Challenge, include:
- SOLID EXPLORER 2 DB (ANDROID) – Joshua James, joshua@dfirscience.org
- Solid Explorer is an Android file management app inspired by the old school file commander applications (http://neatbytes.com/solidexplorer/). This artifact is the local database for Solid Explorer 2 that shows file access and associated times in Unix ms.
- BASH HISTORY V2 (COMPUTER/MOBILE) – Kevin Pagano, stark4n6@gmail.com
- An updated version of Jessica Hyde’s Bash History parser, which now includes Mobile. It parses the “.bash_history” file and lists out the executed commands.
- GOOGLE CALENDAR (ANDROID) – Joshua James, joshua@dfirscience.org
- Android Google Calendar app SQLite database containing calendar settings, including the user account and sync time.
We’ve highlighted some more recent additions to our Artifact Exchange repository in Tarah’s blog here: Highlighting Some Custom Artifacts in the Artifact Exchange
Learn more about what’s new in Magnet AXIOM 4.7, and be sure to try out the new mobile features and artifacts today!