What Upcoming Mac Artifacts and Features You Can Expect
With Magnet AXIOM 3.0, we’re excited to expand your computer investigations with support for APFS and Mac artifacts—but that’s just the beginning!
We’re continuing to work hard to add even more macOS capabilities in upcoming AXIOM releases, in addition to the ability to decrypt FileVault2 images, we’ve added artifact support for parsed user accounts information, FSEvents, connected devices, MRUs and the KnowledgeC database.
We want to share some insight to what‘s in store for Mac support. Keep in mind that AXIOM updates come every month, so the information you need to support your Mac investigations is not far away.
Extended Attributes (xattr)
In macOS investigations, extended file attributes can provide the examiner with a wealth of information about a file of interest. Extended attributes are extra metadata about a specific file that goes beyond normal file system metadata, and can include information such as quarantine data, author, origin URL, and downloaded date/time.
Over the next few releases of Magnet AXIOM, we will be adding support for macOS extended attributes, such as the kMDItemWhereFroms, providing examiners more context as to how a file arrived on the system, whether it be from a web download, or via AirDrop.
Other Important Artifacts Coming Your Way
We will be adding artifact support for the macOS office suite, iWork in Magnet AXIOM. This includes files made from the word processing application Pages, the presentation application Keynote, and the spreadsheet program Numbers. In upcoming releases, AXIOM will identify these documents and present them as an artifact for easy review.
Additionally, we will be adding support for Contacts in macOS. This artifact can provide valuable information such as names, phone numbers, addresses, and contact photos, and can add an extra layer of analysis when using Connections between different evidence sources.
The Quick Look Thumbnail Cache is a useful feature in macOS to give the user a preview of files in the file system. Soon, Magnet AXIOM will parse this cache and present the examiners with these thumbnails as an artifact.
Similar to our support for iOS keychain, we will soon add the same support for the macOS keychain as well! Our artifacts view will quickly display any passwords identified from applications, websites, or other services stored in the macOS keychain.
Future Enhancements on Our Horizon
In future versions of Magnet AXIOM, we are looking at tackling the challenge of data carving unallocated space in macOS, even though certain difficulties arise when dealing with these artifacts—such as decrypting unallocated space after a user password change.
Furthermore, we are currently in the research phase of support for APFS Snapshots. Found in macOS High Sierra and later, APFS snapshot data can add tons of value to your investigation, such as recovering deleted or old version of files no longer found in the current snapshot due to accidental, intentional, or malicious means.
Finally, something that corporate customers can especially look forward to is added support for Institutional Recovery Keys (IRKs) for decryption of FileVault encrypted endpoints in your organization. Unlike personal recovery keys, IRKs are key files that act as encryption/decryption keys for FileVault data, typically seen in enterprise environments.
Magnet AXIOM and Our Commitment to Innovation
Remember, we release our updates monthly to provide you with our most current support available. Be on the lookout for future releases of Magnet AXIOM to get the most out of your MacOS examinations. If you have any questions or recommendations of artifacts to include in future releases, please don’t hesitate to contact me at trey.amick@magnetforensics.com.