The top 10 updates in Magnet Axiom in 2023
With all of the monthly artifact and feature updates that we brought to Magnet Axiom in 2023, we’ve added new functionality, streamlined processing, and ensured that you can get the insights needed for your cases. In this blog, we round up 10 of the most noteworthy updates that came to Axiom this year.
1. Automatically import and process mobile images in Magnet Axiom from a Magnet Graykey
This year Magnet Forensics and Grayshift merged, and one of our first orders of business was to add a new integration to further streamline the workflow between Graykey and Axiom. To help you work as efficiently as possible when collecting and examining from mobile evidence sources, we added the ability to initiate processing of all filesystem and other extractions with Magnet Axiom directly from a Magnet Graykey on the same network. This includes the decryption of keychain (iOS) and keystore (Android) data, providing access to additional device passwords and application data.
2. Search for CSAM content using Thorn’s robust AI models
Internet Crimes Against Children (ICAC) investigations can often take the biggest toll on law enforcement agencies. As part of our commitment to unlock the truth and protect the innocent, this year we partnered with Thorn—a company that shares our commitment to developing solutions to help investigators bring justice to those who victimize children—to leverage their CSAM Image Classifier to improve the detection of CSAM across picture and video artifacts.
Thorn’s CSAM Image Classifier is a machine-learning classification model that will co-exist with Magnet.AI. The addition of this tool offers you another way to quickly and easily identify victims of child sexual abuse by automatically categorizing illicit pictures and videos, minimizing the manual effort required to review images in CSAM cases and reducing exposure to promote officer wellness.
To read more, check out our blog from the 7.0 release.
3. Privileged material
To help support investigations with privileged material, we integrated an option into Axiom that allows you to tag or exclude artifact evidence from case data during processing based on a keyword list. Using this feature, you can load the list of keywords and choose to either tag or exclude artifacts containing those keywords. This can be helpful where a manual review process is utilized to remove the content, or in scenarios where it must automatically be excluded.
You also have the option to easily exclude artifacts tagged as privileged when exporting a report. This will allow you to easily filter out privileged materials before sharing reports and other exports with your stakeholders, reducing manual effort, and helping to ensure that any privileged materials are protected.
4. iOS Biome artifacts
Changes in mobile operating systems can throw forensics investigations a curveball by moving some of the key records to a new location or storage formant, which is just what happened with iOS16 and Biomes. Data from the Biome can be used to provide a detailed story about how a user interacts with their digital device within any given timeframe. Uncovering what applications have been used during specific times of the day—even if the application has been deleted—can help support pattern-of-life analysis, showing what’s normal user behaviour and allowing you to key in on what’s not normal.
In Episode 3 of his Mobile Unpacked series Missing data? Build back better with Biomes! Chris Vance explored the SEGB file format, the tools needed for finding and validating the data stored within, and what artifacts ran off to this location after going missing from old locations such as KnowledgeC.
To read more on Biomes check out our blog on Bringing it back with Biome data
5. Review SaaS free trial
Adding to our complete end-to-end workflow, this year we launched a new version of Magnet Review and gave all existing Magnet Axiom customers early access to the free trial.
Magnet Review helps you easily and securely share digital evidence from all your sources with your investigative teams and stakeholders so you can work together to finish cases faster. Our SaaS-based version of Magnet Review integrates with Axiom so you can securely share your cases directly from the Examine export dialogue, and your stakeholders can access Review from any web browser with no special hardware or software required.
6. Android Keystore processing
To coincide with the Axiom and Graykey automatic import and processing integration, we also added the ability to have Axiom pre-process Android Keystore data while processing Graykey mobile images, automatically decrypting high-value artifact data from mobile applications.
This feature saves significant time and effort as Axiom will now automatically identify applications with keystore data that can be decrypted. This also mitigates manually managing and applying keystore data to individual apps, helping to ensure that any potential evidence source isn’t overlooked. The decryptions also happen in tandem with the initial processing of the mobile data, so you don’t need to wait for the extraction to be processed prior to applying the keystore data.
To learn more about Android keystore processing, read “Decrypt app data using the Android Keystore and Graykey” (Support Portal login required.)
7. New LevelDB Viewer in Axiom Examine
LevelDB is an open source key-value storage engine developed by Google as “a building block for higher-level storage systems”. LevelDB has been ported to a variety of Unix based systems, Mac OS X, Windows, and Android and is also commonly used in mobile applications.
With the growing prominence of LevelDB format data, we added the ability to preview the content of LevelDB databases right in File System Explorer of Axiom. To help with your investigation of this data, you can also search the database, view and save BLOB data, or change the encoding of data in the table.
8. Free Tool: Magnet Hash Sets Manager
Maintaining up-to-date hash sets can be a painful process, especially for those operating in offline labs. Magnet Hash Sets Manger lets you easily manage a central database of hash sets that you can distribute to your team’s instances of Magnet Axiom and Magnet Axiom Cyber, even if they are operating offline.
Commonly referred to as the DNA or fingerprint of digital files, hash sets are an invaluable tool for DFIR investigations, allowing you to quickly identify case-relevant and non-pertinent evidence related to your investigations.
9. Multi-artifact view enhancement to artifact explorer
In our major 7.0 release, we introduced a multi-artifact view for Artifact Explorer. With this enhancement, Artifact Explorer enables viewing multiple artifacts at once, helping you uncover the most pertinent information for your case by showing you multiple details deemed most important for each artifact.
10. Saving custom filters in Artifact Explorer & applying recently used filters
While no two cases are the same, there are often similar starting points or approaches to case types. This past year, we added the ability to save filter sets in Axiom’s Artifact Explorer for later use in similar case types to help you work as efficiently as possible. Many case types can require the analysis of the same file locations or keywords, so readily available filters can save valuable time preparing your data for review and applying frequently used filters while analyzing a case.
You can share saved filter combinations to ensure a consistent approach to investigations within your team, which can be especially beneficial for onboarding new forensics team members or even shared with examiners in other jurisdictions.
Earlier in the year we also added the ability to view and re-apply the last five date and time filters helping you to easily alternate between date ranges, or no date filters, to help ensure information relevant to your case isn’t missed.
Learn more about Magnet Axiom and how it can help you recover and analyze your evidence in one case over on the product page, and request a free trial to see it for yourself!