Here at Magnet Forensics we’ve always been a big believer in the “toolbox” approach to investigations. While many of our customers use Magnet AXIOM as their primary investigative tool for mobile, computer and cloud investigations, when lives are at stake, and justice hangs in the balance, we know it’s important to verify your results. Different tools have different strengths, and when it comes to convicting or exonerating a suspect, you want to make sure every strength is given its due. Often, using a secondary tool will even help you get through certain parts of the investigation more efficiently, while still maintaining the accuracy that’s so crucial for the whole process.
When it comes to mobile investigations, you probably have Cellebrite’s UFED as one of those tools in your toolbox. We know it may even be the only one that you have. UFED performs extractions from various mobile devices and it’s likely convenient for you to continue performing your initial examinations with it. However, you could be missing essential data if you don’t verify your evidence with more than one tool.
AXIOM was designed to not only ingest images from various tools (including UFED) but to be the clearest and most robust analysis tool available. So, after you’ve done your acquisition and first pass of the data with UFED, AXIOM can be an extremely powerful solution for analyzing the evidence. Here are five reasons why we think you should use AXIOM to verify what you’ve done with UFED:
1. AXIOM Finds Important Additional Evidence
Magnet Forensics pioneered the artifacts-first approach; no other tool recovers and surfaces more relevant artifacts than AXIOM does.
This is especially true of evidence that is abundant on mobile devices: artifacts like photos, chats, social media artifacts, geolocation data, and browser activity. And because mobile analysis is all about the artifacts, it’s important to make sure you’re seeing the ones that might matter to your investigation first—something AXIOM does for you every time.
In fact, based on internal testing that we’ve done, we’ve found that AXIOM finds up to 25% more evidence than other tools available. That’s significant! Especially if AXIOM can find that one photo or that one chat that leads to a breakthrough in your investigation.
After running Cellebrite, I always followup with AXIOM if the case involves social media or internet artifacts. I find AXIOM will always get more data from these sources.Steve Ware, Computer Forensic Investigator, City of Redding
2. AXIOM Analyzes Evidence from Mobile Devices, Computers, and the Cloud
While UFED is commonly used for mobile investigations, AXIOM is a complete digital forensics platform that can process and analyze evidence from multiple evidentiary sources, including computers, mobile devices, and cloud services. Investigations are rarely just about a person’s computer, or their phone… it’s about that person’s activity and behavior. And that activity and behavior has a digital footprint that spans all of their devices: their phone, their computer, and their social media and other cloud-based accounts.
The fact of the matter is that crime is often not restricted to one device or source of data. As our lives become increasingly digitally enhanced, so too is our digital footprint. AXIOM can ingest and analyze evidence from all of those sources in one case file which gives you a wholistic view of the person’s activity and how it relates to the case. Whether it’s child exploitation or corporate intrusions, you can’t solely rely on a solution that focuses on one evidence source.
3. Quickly Get Insight into Your Investigations
We know speed is of the essence for you during an investigation. Whether you need evidence immediately so you can use it during an interview or whether it’s to help you move through your workload faster. AXIOM has many different features to help you save time in your investigations by providing immediate and actionable insight into your evidence.
Visualize a Timeline Across All Timestamped Data
Many additional timestamps, other than those reported by the file system, can be found within AXIOM’s artifacts. The Timeline feature in Magnet AXIOM will show you all artifact timestamps, including chat records, EXIF data, and web activity, alongside the file system timestamps in a single view so can quickly and easily sort, filter and zero in on what you’re looking for. Watch this video to learn more:
Easily Understand Evidence Attribution with Connections
Connections allows you to more easily understand attribution of a file or artifact by visualizing connections between artifacts and files in your case. You’ll be able to quickly understand how a file, like a picture for example, might have gotten on someone’s phone, where it might have gone, etc. which can be very helpful in many investigations.
Here’s another video that shows you a more in-depth look at Connections:
This is just the start. There are many other great reasons to use AXIOM—things like relative-time filtering, advanced filtering, and our amazing SQLite Viewer will help you find more evidence and work through it faster.
4. Locate and Analyze Data from Unsupported Mobile Apps
At Magnet Forensics, we call this supporting the unsupported. Mobile apps especially are constantly changing all the time and new ones are being introduced at a rapid pace. Sometimes these new apps have features like anonymous chats for example, that can be used for nefarious purposes.
Dynamic App Finder
How are you supposed to find chat evidence from that app if you don’t even know it exists? This is where Dynamic App Finder (DAF) helps you find that evidence. DAF will identify SQLite databases that may contain useful information in your case. This could ultimately lead to you finding something of critical importance that you didn’t even know was there.
Custom artifacts are used to analyze artifacts that aren’t yet supported by AXIOM. They’re XML or Python scripts that have been built and uploaded by professionals in the Digital Forensics Community to help their peers with their cases.
Custom artifacts live in the Magnet Artifact Exchange. This community-based approach to finding even more evidence is yet another way for you to find more evidence.
5. Easy-To-Understand Reporting—Including Chat-Rebuilding
Even with solid evidence of an incident or a crime, if you don’t have the means to convey your findings in a way that is easily understood to your stakeholders such as a judge or jury, for example, then all of your hard work may be fruitless.
AXIOM produces easy-to-understand reports including the ability to rebuild chats into a conversation bubble-view commonly used on mobile devices which examiners and users are accustomed to.
When a non-technical judge or jury member sees the conversation bubble-view on the report, just how they see it on their phone they use every day, they can understand the interactions far better than something presented to them as a spreadsheet or regular text.
And—similarly to UFED Reader—AXIOM has a feature called Portable Case that allows you to provide a single report to non-technical stakeholders. This significantly cuts down on time and frustration of merging data from all of your different sources whether mobile, computer, or cloud.
Try AXIOM on Your UFED Extractions Today
So, the next time you’ve done an examination with UFED, think of AXIOM and give it a try. Here’s a blog we wrote a while ago that walks you through how to load a Cellebrite image into AXIOM.
And if you don’t have AXIOM yet, sign up for a free 30-day trial and see for yourself what kind of results you get. We think you’ll be pleasantly surprised!