Acquiring evidence from a cloud-based user account
To acquire evidence from the cloud, you can sign in to an account with the target's user name and password, or—for some platforms—an authentication token that AXIOM Process discovers during a search or creates itself. For some cloud platforms, you can also acquire activity that is accessible to the public.
You can acquire evidence from the following cloud platforms and services: Amazon Web Services (AWS), Apple, Box.com, Dropbox, IMAP/POP Email, Facebook, Google, Instagram, Lyft, Mega, Microsoft, Microsoft Azure, Microsoft Teams, Slack, Twitter, Uber, and WhatsApp (Google Drive backups and QR code access). For more details about what type of information you can recover, see Supported cloud platforms and services.
Preparing a cloud account for acquisition
Depending on the platform and the evidence you want to acquire, you might need administrator privileges and will need to configure the administrator account to allow AXIOM Process to access data from user accounts, grant consent for the application, and more.
For more information about preparing cloud accounts for acquisition, review the following Knowledge Base articles in the Magnet Forensics Customer Portal:
Platform | Resources |
---|---|
General | |
Amazon Web Services (AWS) | |
Box.com | |
Microsoft | |
Microsoft Azure | |
Microsoft Teams | |
Slack | |
Yahoo |
Acquire a cloud user account
When you create a new case in AXIOM Process, you can acquire a single account for each cloud platform or service. If you want to add additional accounts, add them as a new evidence source after the original search completes.
After your search completes, you can find the login credentials for each cloud account that you acquire in the Cloud Accounts Information artifact in AXIOM Examine so that you can easily acquire additional information from the account later. You can also acquire additional information from the cloud by using passwords and tokens found during a search or decrypting a WhatsApp backup using a recovered decryption key.
Acquired cloud data is saved as a .zip file. Each service and platform is saved in a separate folder, each containing an attachments folder. The files are saved in the same structure that appears in the account online and in the File system view in AXIOM Examine.
If your agency requires that you use AXIOM Process through a proxy server, you can still use AXIOM Cloud to acquire users' accounts for Box.com, Dropbox, Facebook, Google, Instagram, and Microsoft. For more information about how to use AXIOM Process through a proxy server, see Connect to the internet using a system proxy.
Step 1: Sign in to a cloud account
Acquire evidence from many cloud-based platforms by logging in to an account with a user's login information in AXIOM Process. For some platforms, you can also sign in to a user's account using a QR code or authentication tokens that AXIOM Process discovers during a search or creates itself—though some cloud platforms have services and content that can't be acquired when you use a token to authenticate. IMAP/POP email, Facebook, Instagram, and Twitter don't support authentication tokens.
Note: To acquire evidence for Microsoft Teams, make sure you sign in to the user account for the user you want to acquire chats from.
Tip: If you are having trouble signing in to a Microsoft cloud account using the user name and password sign in method, try signing in to the account using external browser authentication. Audit logs can't be collected using this authentication method.
- In AXIOM Process, click Evidence sources > Cloud > Acquire evidence.
- Confirm that you have proper search authorization.
- Click the platform that you want to sign in to.
- Follow the instructions in AXIOM Process to sign in to the account. Depending on the platform or user account, you might be prompted to:
- Provide login information (such as a user name and password)
- Scan a QR code
- Provide a token
- Provide two-factor authentication information or a verification code
- Provide additional details (for example, for IMAP/POP email, you must select a protocol and provide the Server port and Host name).
Note: When AXIOM Process gains access to an account, the owner of the account might receive an e-mail notifying them that someone has signed in to their account.
Step 2: Select a date range
After you gain access to a cloud account, you can select a date range to acquire data from. By default, AXIOM Process acquires data from as far back in time as possible for the account. Acquiring some accounts can take a long time depending on the amount of data they contain, so you might want to narrow the date range to decrease the amount of time the acquisition takes.
- In the Date range drop-down list, select one of the following options:
- To acquire data after a specified date, click After.
- To acquire data before a specified date, click Before.
- To acquire data between two specified dates, including those dates selected, click Custom date range.
- Click the calendar icon and choose a date.
Note: Some services don't use the date range for acquisition even if you specify one. In these cases, AXIOM Process allows you to specify a date range, but acquires and displays data for all available dates. This behavior applies to Google connected apps, passwords, and recent devices.
Step 3: Select services and content
After you gain access to a cloud account, you can specify which services and content you want to acquire.
Note: Acquiring some content, such as Facebook Timeline comments and replies to comments, can increase acquisition time. AXIOM Process will attempt to collect all comments associated with Timeline posts but does not guarantee that all posts will be gathered.
- In Select services and content, complete the following actions:
- Services: In the Service column, select or clear the check box for each service.
- Content: If available, in the Content column, click Edit. Select or clear the check box for each item, and then click Next.
-
When you've finished selecting services and content, click Next to continue setting up your case.
Change the container type for cloud acquisitions
You can save cloud acquisitions in AFF4-L or ZIP containers. The default container type for cloud acquisitions is AFF4-L.
- In AXIOM Process, on the Tools menu, click Settings.
- In Imaging > Cloud acquisition container, select one of the following options:
- AFF4-L
- ZIP
- Click Okay.
Supported cloud platforms and services
Platform / service | AXIOM Cloud | Magnet AXIOM Cyber | Services / content | Last activity | Size | Date range logic |
---|---|---|---|---|---|---|
Amazon Web Services | ✓ |
Amazon S3 Buckets Amazon EC2 Instances |
— | — | Files modified or created within the date range | |
Apple | ✓ | ✓ |
iCloud Drive files and recently deleted files iCloud Mail iCloud Photos |
Photos only | Includes all photos | Files modified, created, or accessed within the date range |
Box.com (User) | ✓ | ✓ |
Files and folders User Events |
Last modified of any files or folders | Includes all files and folders | Files modified, created, or accessed within the date range |
Box.com (Admin) | ✓ |
Files and folders from other accounts (if target has administrative privileges) Enterprise Events |
Last modified of any files or folders | Includes all files and folders | Files modified, created, or accessed within the date range | |
Dropbox | ✓ | ✓ | Files and folders | Last modified of any files or folders | Includes all files and folders | Files with server last accessed, client accessed, or time taken within the date range, including files that match the "from" date and "to" date |
✓ | ✓ |
Facebook Friends Facebook Messenger Facebook Posts Facebook Profile Facebook Timeline |
— | — | Posts and messages posted or sent within the date range | |
Google (User) | ✓ | ✓ |
Gmail Messages Google Accounts (connected apps, passwords, recent devices, and timeline) Google Drive (files and folders) Google Hangouts Google Photos Google Takeout (Calendar Events, Contacts, Hangouts, Location History, Mbox from Gmail, Chrome, Tasks, Activity, Keep, and Photos) Google Activity (including activity and attachments) |
— | Includes Messages, Drive, and Photos | Files modified, created, or accessed within the date range |
Google (admin) | ✓ |
Services and content listed for Google (User) Google Workspace administrator and user accounts Google Workspace login audit logs for Google Workspace Basic, Business, and Enterprise Google Workspace Drive audit logs for Google Workspace Business and Enterprise |
— | Includes Messages, Drive, and Photos | Files modified, created, or accessed within the date range | |
IMAP / POP | ✓ | ✓ |
Emails and attachments Note: POP3 does not support folder acquisition and acquires the inbox only. |
— | — | Emails modified, created, or accessed within the chosen date range |
Instagram (User account) | ✓ | ✓ |
Instagram Direct Messages Instagram Posts |
Date of most recent post | Includes total amount of posts | Posts uploaded or messages sent within the date range |
Instagram (Public activity) | ✓ | ✓ | Instagram Posts | — | — | Posts from the user name or hash tag posted within the date range |
Lyft | ✓ | ✓ |
Profile information Trip data |
— | — | Trip data from within the date range |
Mega | ✓ | ✓ | Cloud Mega files | — | — | Files modified, created, or accessed within the date range |
Microsoft (User) | ✓ | ✓ |
Office 365/Microsoft Mail (including hosted services: Hotmail, Outlook, MSN, and Live) OneDrive files and folders Office 365 Outlook contacts Office 365 Outlook calendars |
Newest of last modified, last accessed, and last created files (OneDrive only) | Includes all files and folders (OneDrive only) | Files modified, created, or accessed within the date range |
Microsoft (Office 365 Admin) | ✓ |
Services and content listed for Microsoft (User) Audit logs Emails, OneDrive, Audit logs (if enabled) from other accounts (if target has administrative privileges) SharePoint files and folders |
Newest of last modified, last accessed, and last created files (OneDrive only) | Includes all files and folders (OneDrive only) | Files modified, created, or accessed within the date range | |
Microsoft Azure | ✓ | Virtual Machines | — | — | — | |
Microsoft Teams | ✓ |
Channels Chats |
— | — | Messages sent within the date range. | |
Slack | ✓ |
Slack Public Channels Slack Private Channels Slack Direct Messages Slack Direct Group Messages Slack Users Slack Workspaces |
— | — | Messages sent within the date range | |
Twitter (User account) | ✓ | ✓ |
Twitter Direct Messages Twitter Posts Twitter Users (including followers, friends, and personal profile) information |
Based on latest Tweets | Includes total amount of Tweets | Tweets posted within the date range |
Twitter (Public activity) | ✓ | ✓ |
Twitter Posts Twitter Users (including followers, friends, and personal profile) information |
— | — | Tweets from the user name posted within the date range |
Uber | ✓ | ✓ | Uber Trip History | — | — | Trip history within the date range |
WhatsApp (Google Drive Backup) | ✓ | ✓ | WhatsApp backups | — | Includes all data backed up to Google Drive | Date that the backup was saved to Google Drive |
WhatsApp (QR code access) | ✓ | ✓ | WhatsApp chats | — | — | Chats within the date range |