Blog Hero

Resource Center

How-To How-To

Using Magnet ACQUIRE in Your Investigations

On This Page

    We recently announced a beta program for our latest tool, Magnet ACQUIRE™. Magnet ACQUIRE is a smartphone acquisition tool that will enable you to quickly and easily extract an image from any iOS or Android smartphone or tablet. We are currently accepting applications for the beta program from existing customers, and will be launching a community beta later this summer.

    As you know, full physical extractions are becoming more and more difficult to obtain without using advanced techniques, such as JTAG and chip-off. Manufacturers are locking bootloaders and encrypting data by default, limiting the options for examiners who are looking to get a full image of a device. With Magnet ACQUIRE, we’ve developed two distinct extraction methods, Quick and Full, to help examiners obtain the right image depending on the needs of your examination and the support for the device.

    A Quick Extraction allows examiners to quickly and reliably obtain a logical image, and will work on all iOS and Android devices. The image includes a backup of the most important user data, as well as additional data found within the file system. With an iOS device, for example, the Quick Extraction method would be comparable to a combined method 1 and method 2 acquisition with other forensic acquisition tools.

    Examiners are also able to perform a Full Extraction on some of the most popular Android devices that support rooting, or are already rooted. Magnet ACQUIRE will automatically try the most common privilege escalation exploits available for Android devices to obtain physical access. A Full Extraction will also work on jailbroken iOS devices.

    Use Case Scenario

    As examiners, we are challenged everyday with managing more work than there are hours in the day. In addition, the sheer quantity of devices that are included in each examination seems to grow with every case. In the early days, there was often only one or two PCs to be examined for an investigation. Today, it’s not uncommon to see over a dozen PCs and smartphones tied to a single investigation. Often, many of these devices have nothing of value to the case, but still need to be examined in order to find the handful of devices that are vital to the investigation.

    Imagine that you’re a law enforcement examiner that supports vice or drug investigations. After a raid, you are presented with 15 mobile devices that were seized from suspects upon arrest or found at the scene. Many of these devices will not contain data relevant to the investigation; however, you still need to examine all 15 of them in order to determine which ones contain the evidence you need.

    Using Magnet ACQUIRE, you can obtain a Quick Extraction of each device and upload the image to Magnet IEF to quickly review for any evidence that may be relevant to the case. A Quick Extraction can take less than 5 minutes, depending on the device, which means you can start your analysis sooner. In addition, IEF enables you to queue up several images at once, making the analysis process faster. Once you have identified the 3 or 4 devices that are of value to your investigation, you can determine if you need to dig deeper and obtain either a full image or perform a JTAG or chip-off to collect more data from the devices.

    Magnet ACQUIRE can help you analyze multiples devices faster, eliminating the need to conduct a complete analysis on all 15 devices, and enabling you to focus your analysis efforts on the 3 or 4 devices that are most important to the investigation. We hope that Magnet ACQUIRE will assist in your workflow and enable you to work more efficiently.

    As always, if you have any questions or comments, please feel free to contact me: jamie.mcquaid@magnetforensics.com.

    If you’re interested in learning more about how Magnet ACQUIRE works, take a look at some of our additional resources:

    Learn More About Magnet ACQUIRE

    Join the Magnet ACQUIRE Beta Program