Acquiring evidence from a cloud-based user account

To acquire evidence from the cloud, you can sign in to an account with the target's user name and password, or—for some platforms—an authentication token that AXIOM Process discovers during a search or creates itself. For some cloud platforms, you can also acquire activity that is accessible to the public.

You can acquire evidence from the following cloud platforms and services: Amazon Web Services (AWS), Apple, Box.com, Dropbox, IMAP/POP Email, Facebook, Google, Instagram, Lyft, Mega, Microsoft, Microsoft Azure, Microsoft Teams, Slack, Twitter, Uber, and WhatsApp (Google Drive backups and QR code access). For more details about what type of information you can recover, see Supported cloud platforms and services.

Preparing a cloud account for acquisition

Depending on the platform and the evidence you want to acquire, you might need administrator privileges and will need to configure the administrator account to allow AXIOM Process to access data from user accounts, grant consent for the application, and more.

For more information about preparing cloud accounts for acquisition, review the following Knowledge Base articles in the Magnet Forensics Customer Portal:

Platform	Resources
General	Accessing cloud accounts that use two-factor authentication Adding URLs to the allowed list for cloud acquisition
Amazon Web Services (AWS)	Find AWS authentication details Prerequisites for acquiring an EC2 instance
Box.com	Configure a Box.com account for acquisition
Google	Configure the Google Admin console to give access to Google Workspace user accounts Configure a Gmail account to allow access using IMAP/POP
Microsoft	Configure Microsoft Azure to give access to Microsoft user accounts Configure an Office 365 account for acquisition Give examiners access to users' Office 365 Sharepoint and OneDrive accounts
Microsoft Azure	Find Azure authentication details
Microsoft Teams	Configure Microsoft Azure to give access to Microsoft Teams
Slack	Configure Slack to allow access to AXIOM Process
Yahoo	Configure a Yahoo account to allow access using IMAP/POP

Acquire a cloud user account

When you create a new case in AXIOM Process, you can acquire a single account for each cloud platform or service. If you want to add additional accounts, add them as a new evidence source after the original search completes.

After your search completes, you can find the login credentials for each cloud account that you acquire in the Cloud Accounts Information artifact in AXIOM Examine so that you can easily acquire additional information from the account later. You can also acquire additional information from the cloud by using passwords and tokens found during a search or decrypting a WhatsApp backup using a recovered decryption key.

Acquired cloud data is saved as a .zip file. Each service and platform is saved in a separate folder, each containing an attachments folder. The files are saved in the same structure that appears in the account online and in the File system view in AXIOM Examine.

If your agency requires that you use AXIOM Process through a proxy server, you can still use AXIOM Cloud to acquire users' accounts for Box.com, Dropbox, Facebook, Google, Instagram, and Microsoft. For more information about how to use AXIOM Process through a proxy server, see Connect to the internet using a system proxy.

Step 1: Sign in to a cloud account

Acquire evidence from many cloud-based platforms by logging in to an account with a user's login information in AXIOM Process. For some platforms, you can also sign in to a user's account using a QR code or authentication tokens that AXIOM Process discovers during a search or creates itself—though some cloud platforms have services and content that can't be acquired when you use a token to authenticate. IMAP/POP email, Facebook, Instagram, and Twitter don't support authentication tokens.

Note: To acquire evidence for Microsoft Teams, make sure you sign in to the user account for the user you want to acquire chats from.

Tip: If you are having trouble signing in to a Microsoft cloud account using the user name and password sign in method, try signing in to the account using external browser authentication. Audit logs can't be collected using this authentication method.

In AXIOM Process, click Evidence sources > Cloud > Acquire evidence.
Confirm that you have proper search authorization.
Click the platform that you want to sign in to.
Follow the instructions in AXIOM Process to sign in to the account. Depending on the platform or user account, you might be prompted to:
- Provide login information (such as a user name and password)
- Scan a QR code
- Provide a token
- Provide two-factor authentication information or a verification code
- Provide additional details (for example, for IMAP/POP email, you must select a protocol and provide the Server port and Host name).

Note: When AXIOM Process gains access to an account, the owner of the account might receive an e-mail notifying them that someone has signed in to their account.

Step 2: Select a date range

After you gain access to a cloud account, you can select a date range to acquire data from. By default, AXIOM Process acquires data from as far back in time as possible for the account. Acquiring some accounts can take a long time depending on the amount of data they contain, so you might want to narrow the date range to decrease the amount of time the acquisition takes.

In the Date range drop-down list, select one of the following options:
- To acquire data after a specified date, click After.
- To acquire data before a specified date, click Before.
- To acquire data between two specified dates, including those dates selected, click Custom date range.
Click the calendar icon and choose a date.

Note: Some services don't use the date range for acquisition even if you specify one. In these cases, AXIOM Process allows you to specify a date range, but acquires and displays data for all available dates. This behavior applies to Google connected apps, passwords, and recent devices.

Step 3: Select services and content

After you gain access to a cloud account, you can specify which services and content you want to acquire.

Note: Acquiring some content, such as Facebook Timeline comments and replies to comments, can increase acquisition time. AXIOM Process will attempt to collect all comments associated with Timeline posts but does not guarantee that all posts will be gathered.

In Select services and content, complete the following actions:
- Services: In the Service column, select or clear the check box for each service.
- Content: If available, in the Content column, click Edit. Select or clear the check box for each item, and then click Next.
When you've finished selecting services and content, click Next to continue setting up your case.

Change the container type for cloud acquisitions

You can save cloud acquisitions in AFF4-L or ZIP containers. The default container type for cloud acquisitions is AFF4-L.

In AXIOM Process, on the Tools menu, click Settings.
In Imaging > Cloud acquisition container, select one of the following options:
- AFF4-L
- ZIP
Click Okay.

Supported cloud platforms and services

Platform / service	AXIOM Cloud	Magnet AXIOM Cyber	Services / content	Last activity	Size	Date range logic
Amazon Web Services		✓	Amazon S3 Buckets Amazon EC2 Instances	—	—	Files modified or created within the date range
Apple	✓	✓	iCloud Drive files and recently deleted files iCloud Mail iCloud Photos	Photos only	Includes all photos	Files modified, created, or accessed within the date range
Box.com (User)	✓	✓	Files and folders User Events	Last modified of any files or folders	Includes all files and folders	Files modified, created, or accessed within the date range
Box.com (Admin)		✓	Files and folders from other accounts (if target has administrative privileges) Enterprise Events	Last modified of any files or folders	Includes all files and folders	Files modified, created, or accessed within the date range
Dropbox	✓	✓	Files and folders	Last modified of any files or folders	Includes all files and folders	Files with server last accessed, client accessed, or time taken within the date range, including files that match the "from" date and "to" date
Facebook	✓	✓	Facebook Friends Facebook Messenger Facebook Posts Facebook Profile Facebook Timeline	—	—	Posts and messages posted or sent within the date range
Google (User)	✓	✓	Gmail Messages Google Accounts (connected apps, passwords, recent devices, and timeline) Google Drive (files and folders) Google Hangouts Google Photos Google Takeout (Calendar Events, Contacts, Hangouts, Location History, Mbox from Gmail, Chrome, Tasks, Activity, Keep, and Photos) Google Activity (including activity and attachments)	—	Includes Messages, Drive, and Photos	Files modified, created, or accessed within the date range
Google (admin)		✓	Services and content listed for Google (User) Google Workspace administrator and user accounts Google Workspace login audit logs for Google Workspace Basic, Business, and Enterprise Google Workspace Drive audit logs for Google Workspace Business and Enterprise	—	Includes Messages, Drive, and Photos	Files modified, created, or accessed within the date range
IMAP / POP	✓	✓	Emails and attachments Note: POP3 does not support folder acquisition and acquires the inbox only.	—	—	Emails modified, created, or accessed within the chosen date range
Instagram (User account)	✓	✓	Instagram Direct Messages Instagram Posts	Date of most recent post	Includes total amount of posts	Posts uploaded or messages sent within the date range
Instagram (Public activity)	✓	✓	Instagram Posts	—	—	Posts from the user name or hash tag posted within the date range
Lyft	✓	✓	Profile information Trip data	—	—	Trip data from within the date range
Mega	✓	✓	Cloud Mega files	—	—	Files modified, created, or accessed within the date range
Microsoft (User)	✓	✓	Office 365/Microsoft Mail (including hosted services: Hotmail, Outlook, MSN, and Live) OneDrive files and folders Office 365 Outlook contacts Office 365 Outlook calendars	Newest of last modified, last accessed, and last created files (OneDrive only)	Includes all files and folders (OneDrive only)	Files modified, created, or accessed within the date range
Microsoft (Office 365 Admin)		✓	Services and content listed for Microsoft (User) Audit logs Emails, OneDrive, Audit logs (if enabled) from other accounts (if target has administrative privileges) SharePoint files and folders	Newest of last modified, last accessed, and last created files (OneDrive only)	Includes all files and folders (OneDrive only)	Files modified, created, or accessed within the date range
Microsoft Azure		✓	Virtual Machines	—	—	—
Microsoft Teams		✓	Channels Chats	—	—	Messages sent within the date range.
Slack		✓	Slack Public Channels Slack Private Channels Slack Direct Messages Slack Direct Group Messages Slack Users Slack Workspaces	—	—	Messages sent within the date range
Twitter (User account)	✓	✓	Twitter Direct Messages Twitter Posts Twitter Users (including followers, friends, and personal profile) information	Based on latest Tweets	Includes total amount of Tweets	Tweets posted within the date range
Twitter (Public activity)	✓	✓	Twitter Posts Twitter Users (including followers, friends, and personal profile) information	—	—	Tweets from the user name posted within the date range
Uber	✓	✓	Uber Trip History	—	—	Trip history within the date range
WhatsApp (Google Drive Backup)	✓	✓	WhatsApp backups	—	Includes all data backed up to Google Drive	Date that the backup was saved to Google Drive
WhatsApp (QR code access)	✓	✓	WhatsApp chats	—	—	Chats within the date range