File artifacts

Specify file extensions for files to parse
Provide file signatures, such as headers and footers, for files to carve
Parsed and carved files are displayed as artifact hits

Mobile

Added new exploits that enable logical acquisitions on rooted Android devices (and some unpatched Android 5,6,7 devices)

Cloud

Recover calendar event information using G Suite

Encrypted Files

Encrypted Files artifact now runs much faster and returns better results
Turned on by default for users that have Passware

Recover and analyze cloud data

As device encryption becomes more powerful, you might find more evidence using back-ups, chat history, and account information that's stored remotely. Use AXIOM Cloud to access and acquire users' cloud-based accounts.

TRY AXIOM CLOUD TODAY!

Advanced acquisitions for Android

Magnet AXIOM supports advanced acquisition methods that can allow you to acquire a full image even if the device is locked. Learn more about how to use these methods with supported devices from Samsung, Motorola, LG, and more.

LEARN MORE

More details...

Artifacts

Calendar | Android: Updated carving support for calendar events. [Android 6, 7, 8]

Call Logs | Android: Updated carving support to recover more information about the call and local user, including the contact phone number and location information. [Android 7, 8]

Chrome | Windows: Updated parsing support to recover installed browser plugins and extensions. [36-71]

Contacts | Android: Updated parsing support to recover information about the last date and time and the number of times users were contacted by other devices. [Android 8]

Custom Artifacts: In the XML schema for custom artifacts, platform values (i.e. iOS, Android, and Computer) are no longer case-sensitive.

Custom Artifacts: XML custom artifacts that do not have a Platform element defined are no longer invalid, and is equivalent to specifying All platforms.

Edge | Windows: Added support for recovering Favorites, Reading Lists, Top Sites, and Typed URLs. [44]

Edge | Windows: Updated parsing support to recover installed extensions. [44.17763]

Edge/Internet Explorer 10-11 | Windows: Updated several Internet Explorer 10-11 artifacts to now include results from Edge.

Edge/Internet Explorer 10-11 | Windows: Updated support for recovering Cookies. [44]

Encrypted Files: Significant performance improvements aimed at reducing false positives and decreasing scan time. This artifact is available with the Passware plugin, and is now turned on by default.

Firefox | Windows: Updated parsing support to recover installed add-ons. [62.0.3]

Hangul | Android: Updated parsing and carving support to better recover Hangul documents from ADB database and .HWP files.

iMessage/SMS/MMS | iOS: Improvements to how messages are recovered and cross-referenced with contacts, resulting in fewer hits that are missing recipient attributes. [iOS 12.1.2]

iMessage/SMS/MMS | iOS: Names are now associated with the phone numbers/email addresses of iMessage conversation partners.

Instagram | iOS: Updated support for recovering Direct Messages. [74.0]

Kik Messenger | iOS: Added support for recovering anonymous chat messages. [15.0]

Messages and Call Logs | Android: Improvements to the Connections view for the message and call log artifacts from multiple applications, so that results are associated with the local user.

MMS | Android: Updated carving support to better recover MMS messages. [Android 6]

Reddit | Android: Recover information about users, posts, and subreddits visited using the Reddit app.

Samsung Browser | Android: Recover information about the Tabs that the user opens and the websites they visit. [9.0.00.32]

Samsung Email | Android: Added carving and parsing support for Samsung Email messages. [Android 7]

Snapchat | iOS: Added support for new GUID types to retrieve Snapchat videos sent in chats. [10.44-10.48]

User Accounts | Windows: Added support for decryption of NTLM hashes to improve recovery of NTLM hashes and passwords. [Windows 10 v1607]

Your Phone | Windows: Recover information about synced Pictures and Devices from the Your Phone application. [1803]

Cloud

Improvements were made to reduce the load time of the Files and Folders view for the following cloud platforms and services: Box.com, Dropbox, Google Drive, iCloud Drive, and Microsoft OneDrive. Additionally, the display of files and folders now better reflects the structure in the application.

If you configure a G Suite administrator account to give Magnet AXIOM access, you can now access Calendar Events from users under the account’s administrator privileges. Note: If you previously configured a Google administrator account to give Magnet AXIOM access to its G Suite user accounts, you must update the administrator account to reflect the most recent API scopes. Review the documentation in the AXIOM User Guide for more information.

The Google Photos cloud artifact has been updated to reflect the metadata available from the Google Photos API including the following new fields: "Creation Time", "Album ID", and "Is Shared Album." Some fields previously available in the Google Photos artifact will now appear as EXIF metadata within the AXIOM Pictures artifact. Location data is no longer provided from the Google Photos API.

Processing

You can now configure AXIOM Process to search for custom file types. During a search, AXIOM Process might discover file types that aren't currently supported by AXIOM artifacts. Configure the Custom file types list to include the file types you want to search for. When AXIOM Process discovers these file types during a search, it creates artifact hits that you can view in AXIOM Examine.

Improvements have been made to how AXIOM Process identifies SQLite databases found when you enable the Dynamic App Finder.

You can complete a logical acquisition of the contents of /data/data on an Android device using the ADB workflow.

Bug fixes

If you used the Dynamic App Finder during a search, the search appeared to stall with the status "Processing evidence 100%", and you weren’t alerted that you needed to return to AXIOM Process to configure the recovered artifacts. -AXP-4221

When processing a Cellebrite image that included an encrypted iOS 10+ backup, AXIOM Process incorrectly reported that no artifacts were found. -AXP-4363

When processing an encrypted iOS 10+ backup , AXIOM Process did not return the expected number of artifact hits. -AXP-4469

When viewing evidence items in a .zip container in AXIOM Examine, the application could become unresponsive after a period of activity. -AXE-6430

When attempting to export Cloud Gmail messages to a PST file, the "From Address" field was not populated. -CAO-1875

In some cases, Magnet.AI was unable to use a GPU to process evidence even though the driver was supported. -AE-744

Carving some types of documents can cause a search to timeout. -ARTC-169

Attachment filenames weren't being displayed in Skype conversations. -ART-10098

Chat bubbles were not displayed in the Preview card for iOS SMS/MMS. -ART-10112

Known issues

In some cases, if a case is processed in a newer version of AXIOM and actions are later performed in an older version of AXIOM, an error message might appear or you might experience unexpected behavior. Workaround: Update Magnet AXIOM to the latest version.

In some situations, antivirus software is known to prevent Magnet AXIOM from creating a portable case. For example, if Malware URLs are part of the evidence being exported, the portable case might not get created successfully. Workaround: Turn off the antivirus software and create the portable case. Turn on the antivirus software again.

Magnet AXIOM crashes when out of disk space. Workaround: Check the amount of disk space available for the case and acquisition directories before you start processing.

When you process an encrypted iTunes backup and provide the password to decrypt it, the data might still appear in its encrypted form in AXIOM Examine. Workaround: Extract the iOS image from the compressed container to a different location on your computer. In AXIOM Process, perform a Files and Folders scan. (In the Evidence sources section, click Mobile > iOS > Load evidence > Files and Folders.)