Warrant Return Analysis in Magnet AXIOM
For anyone who gets returns from warrants return content from Internet Service Providers (ISPs), searching and analyzing that content can be problematic. The returns are not in a standard format and there are a vast number of artifacts. The formats can change and typically come in .zip files that can include .html, .txt, .json, .csv, .xls, .pdf, .mbox, .jpg, .png, and more. In addition to having a variety of file types, the files can be nested in folder structures and multiple archives. How do you quickly look at an email or find the important or relevant chat? How do you timeline that content? And how do you coordinate it with existing data that you have from other sources? There is a need to be able to analyze these files effectively.
There are several additional challenges to analysis of warrant returns. In addition to the ever-changing formats, nested structures, and lack of standardization, it is difficult for researchers to get access to these returns. The Cloud Team at Magnet Forensics works closely with law enforcement practitioners who are the first to know when there are changes to the packages provided by ISPs. Additionally, we work with law enforcement who can share redacted content with us so that we can effectively create parsers. If you have content you can share with us, we welcome that at any time. It takes a community to parse the content.
However, because the formats often contain file types that AXIOM supports, AXIOM can still partially support some cloud artifacts before we are able to necessarily parse logical content from some of the artifacts to create new artifacts. For example, a nested .mbox will still be parsed as email content and picture formats will still appear in the gallery. As we understand .zip archives we are still able to provide the pathing.
If you are familiar with AXIOM, you may already be conducting your computer and mobile investigations in the tool. We have added support in AXIOM to aid in your ability to deal with this content through our support of warrant returns. Currently we support warrant returns from Apple, Facebook, Google, Instagram, and Snapchat. We are constantly working on additional formats. Are there formats you would like to see us support that you are seeing in your investigations?
One of the great things about using AXIOM to look at your warrant return data is that you can also view that data alongside your computer and mobile data. This allows you to look at the evidence more holistically and to timeline events in a more complete manner.
Want to see two examples of how to load warrant returns into AXIOM? Check out Tarah Melton’s videos on Facebook and Instagram warrant returns:
Want to know more about the artifacts we support? Check out the individual posts on:
If you have any comments or questions feel free to reach out to me at Jessica.firstname.lastname@example.org. We would love to hear your thoughts on additional warrant returns to support and humbly look forward to any datasets you may be able to share.