Resource Center

How-To How-To

Using AXIOM Cloud for Slack Acquisitions

    Magnet AXIOM 3.0 has shaped up to be the biggest release of AXIOM since it was introduced to the market three years ago! In this release, we’ve added both APFS file system support as well as support for additional artifacts, including cloud acquisitions of Slack data.

    The latest version of Magnet AXIOM is now available for customers to download! Either upgrade within AXIOM, or head over to the Customer Portal to download AXIOM 3.0.

    If you’re not already using AXIOM and want try AXIOM 3.0 for yourself, request a trial today.

    What the Slack?

    Originally released in 2009, Slack allows for collaboration across both private messages and private/public channels. Channels allow for the collaboration between projects or teams similar to that of a chat room. Slack also has a searchable history feature, allowing for messages and files being shared to easily be indexed for users to find. Slack can also be used in enterprise environments with external partner accounts, giving organizations flexibility when working with clients or contractors.

    As of May 2018, Slack has over eight million daily active users[i]. With the amount of data and communications being transferred, Magnet Forensics assists corporate investigators in capturing information relevant to their casework, quickly and efficiently. Features such as Connections, with multiple data sources like Slack and Office 365, can allow examiners to efficiently complete their casework.

    Slack screenshot

    Slack Acquisition & Analysis

    Acquisition process for Slack

    We’ve made acquiring data directly from Slack into AXIOM a quick three-step process. Before casework can commence, coordinate with your IT/SOC to make sure AXIOM is whitelisted for apps that can access Slack. You’ll only need to whitelist AXIOM once. Next, simply enter the account information and credentials of the account that is under investigation into AXIOM and select Analyze Evidence.

    Once acquired and processed, examiners can review the following Slack artifacts:

    • Messages
    • Channels
    • Files/Media Shared
    • Users
    • Workspaces
    Results of Slack Artifacts

    Under the Cloud Slack Messages Artifact, investigators can see direct messages, channel messages (from public channels), and Private Channel messages, as well as attachments shared between users.                                                                

    It’s also worth mentioning that Slack support was added for both Android and iOS in AXIOM 2.10. The mobile Slack artifacts will recover channels, channel messages, direct messages, files, users, and workspaces. ​

    If there are artifacts you’d like to see supported in AXIOM or if you have any questions, please don’t hesitate to reach out to me at trey.amick@magnetforensics.com

    [i] https://www.statista.com/statistics/652779/worldwide-slack-users-total-vs-paid/